webrecorder / browsertrix

Browsertrix is the hosted, high-fidelity, browser-based crawling service from Webrecorder designed to make web archiving easier and more accessible for all!
https://webrecorder.net/browsertrix
GNU Affero General Public License v3.0
200 stars 33 forks source link

Add and enforce password validation #1233

Closed tw4l closed 1 year ago

tw4l commented 1 year ago

Requirements

Pages

tw4l commented 1 year ago

OWASP recommendations:

Shrinks99 commented 1 year ago

Looks like zxcvbn (nice name very creative) has a haveIbeenpwned matcher built in which is cool!

Watching the USENIX talk about it, this seems like a great solution... A few points?

  1. Daniel mentions that he prefers UI that "lets users fix the password any way they like" and not imposing strict requirements. Considering that we will have strict length requirements, I do think those (and any others we absolutely need) should be explicitly listed along with the zxcvbn password improvement info. I personally find having to figure out password requirements as I go to be infurating (as somebody who's passwords are random character strings that are as long as I'm allowed to enter) :P
  2. As a follow up to that, their library seems to basically output a guess count and score that developers (us) can use to demand users enter a more complex password. In the talk, Daniel mentions that this could potentially be quite confusing to people if the demanded score is set too high (see previous point). Should we only require the character limit to be reached and use zxcvbn as a guideline? Should we set a low score as a requirement? He also mentions that the estimator produces metadata that can be used to provide more feedback to the user which would be nice to investigate further.

Fundamentally zxcvbn seems to be a reactive method of telling users what their password should be rather than a proactive one (requirements based). I guess this is mostly something for me to work within, how can we best convey the requirements and recommendations it sets forth to users? 🤔

tw4l commented 1 year ago

First step (requiring passwords to be between 8-64 chars) merged. Seems like we could add zxcvbn to the frontend as a next step to show users the relative strength of their password - might need design from @Shrinks99

tw4l commented 1 year ago

It seems that the Dropbox zxcvbn repo has been dead for a number of years, but there is an active typescript rewrite that might work better for us anyway: https://github.com/zxcvbn-ts/zxcvbn

Shrinks99 commented 1 year ago

While zxcvbn itself is a scoring library that gives suggestions, we want to give users as many reasonable hard requirements that will result in low scores to reduce guesswork while creating a strong password. We should list these, use zxcvbn to check for them, and additionally list actionable suggestions it generates to help people choose stronger passwords. As a bonus check, it would be great to warn them if the password has been compromized! (zxcvbn also does this!)

Hard Requirements

SuaYoo commented 1 year ago

Should we reject passwords on the frontend with a score less than 3? Or less than 4?

Shrinks99 commented 1 year ago

Anyone with a score less than 4 is likely not using a password manager, it's tricky balancing security recommendations with the inherently flawed system of having to remember everything :\

IMO less than 3? We may want to also include a note recommending they use a password manager as a suggestion for passwords that aren't scored at a level 4, maybe link to https://www.privacyguides.org/en/passwords/ ??