search

vegaprotocol / vega

A Go implementation of the Vega Protocol, a protocol for creating and trading derivatives on a fully decentralised network.
https://vega.xyz
GNU Affero General Public License v3.0
38 stars 22 forks source link

Wallet: User password not being allows for low entropy #8941

Closed gordsport closed 1 year ago

gordsport commented 1 year ago

Issue

Although it is ultimately the user/node operators responsibility to keep their security in check there is a minor enhancement suggestion that has come from the recent penetration testing audit.

Currently a user can use any any string as a password e.g., vegavega or 123 - these low entropy passwords can be easily brute forced.

It may not be within the ethos of Vega to force a given rule set for the password to have to adhere to, however, maybe measuring the entropy and warning the user the password could be stronger.

dexturr commented 1 year ago

Browser wallet wise, this is completed on the release that went out yesterday, so we wholeheartedly agree! Thanks for the feedback.

CLI wallet wise I am unsure what the plan is.

Screenshot 2023-07-28 at 10 02 12
gordsport commented 1 year ago

duplicate