Add and enforce password validation

[tw4l]

Requirements

• Between 8-64 characters in length
• Not one of the top n commonly used passwords
• Doesn't include their name or email

Pages

• Sign up
• Reset password
• Account settings

[tw4l]

OWASP recommendations:

• Password Length
  • Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).
  • Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet. It is important to set a maximum password length to prevent long password Denial of Service attacks.
• Do not silently truncate passwords. The Password Storage Cheat Sheet provides further guidance on how to handle passwords that are longer than the maximum length.
• Allow usage of all characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted.
• Ensure credential rotation when a password leak occurs, or at the time of compromise identification.
• Include password strength meter to help users create a more complex password and block common and previously breached passwords
  • zxcvbn-ts library can be used for this purpose.
  • Pwned Passwords is a service where passwords can be checked against previously breached passwords. You can host it yourself or use the API.

[Shrinks99]

Looks like zxcvbn (nice name very creative) has a haveIbeenpwned matcher built in which is cool!

Watching the USENIX talk about it, this seems like a great solution... A few points?

1. Daniel mentions that he prefers UI that "lets users fix the password any way they like" and not imposing strict requirements. Considering that we will have strict length requirements, I do think those (and any others we absolutely need) should be explicitly listed along with the zxcvbn password improvement info. I personally find having to figure out password requirements as I go to be infurating (as somebody who's passwords are random character strings that are as long as I'm allowed to enter) :P
2. As a follow up to that, their library seems to basically output a guess count and score that developers (us) can use to demand users enter a more complex password. In the talk, Daniel mentions that this could potentially be quite confusing to people if the demanded score is set too high (see previous point). Should we only require the character limit to be reached and use zxcvbn as a guideline? Should we set a low score as a requirement? He also mentions that the estimator produces metadata that can be used to provide more feedback to the user which would be nice to investigate further.

Fundamentally zxcvbn seems to be a reactive method of telling users what their password should be rather than a proactive one (requirements based). I guess this is mostly something for me to work within, how can we best convey the requirements and recommendations it sets forth to users? 🤔

[tw4l]

First step (requiring passwords to be between 8-64 chars) merged. Seems like we could add zxcvbn to the frontend as a next step to show users the relative strength of their password - might need design from @Shrinks99

[tw4l]

It seems that the Dropbox zxcvbn repo has been dead for a number of years, but there is an active typescript rewrite that might work better for us anyway: https://github.com/zxcvbn-ts/zxcvbn

[Shrinks99]

While zxcvbn itself is a scoring library that gives suggestions, we want to give users as many reasonable hard requirements that will result in low scores to reduce guesswork while creating a strong password. We should list these, use zxcvbn to check for them, and additionally list actionable suggestions it generates to help people choose stronger passwords. As a bonus check, it would be great to warn them if the password has been compromized! (zxcvbn also does this!)

Hard Requirements

• Between 8-64 characters in length
• Not one of the top n commonly used passwords
• Doesn't include their name or email

[SuaYoo]

Should we reject passwords on the frontend with a score less than 3? Or less than 4?

[Shrinks99]

Anyone with a score less than 4 is likely not using a password manager, it's tricky balancing security recommendations with the inherently flawed system of having to remember everything :\

IMO less than 3? We may want to also include a note recommending they use a password manager as a suggestion for passwords that aren't scored at a level 4, maybe link to https://www.privacyguides.org/en/passwords/ ??