Closed tw4l closed 1 year ago
Looks like zxcvbn (nice name very creative) has a haveIbeenpwned matcher built in which is cool!
Watching the USENIX talk about it, this seems like a great solution... A few points?
Fundamentally zxcvbn seems to be a reactive method of telling users what their password should be rather than a proactive one (requirements based). I guess this is mostly something for me to work within, how can we best convey the requirements and recommendations it sets forth to users? 🤔
First step (requiring passwords to be between 8-64 chars) merged. Seems like we could add zxcvbn to the frontend as a next step to show users the relative strength of their password - might need design from @Shrinks99
It seems that the Dropbox zxcvbn repo has been dead for a number of years, but there is an active typescript rewrite that might work better for us anyway: https://github.com/zxcvbn-ts/zxcvbn
While zxcvbn itself is a scoring library that gives suggestions, we want to give users as many reasonable hard requirements that will result in low scores to reduce guesswork while creating a strong password. We should list these, use zxcvbn to check for them, and additionally list actionable suggestions it generates to help people choose stronger passwords. As a bonus check, it would be great to warn them if the password has been compromized! (zxcvbn also does this!)
Should we reject passwords on the frontend with a score less than 3? Or less than 4?
Anyone with a score less than 4 is likely not using a password manager, it's tricky balancing security recommendations with the inherently flawed system of having to remember everything :\
IMO less than 3? We may want to also include a note recommending they use a password manager as a suggestion for passwords that aren't scored at a level 4, maybe link to https://www.privacyguides.org/en/passwords/ ??
Requirements
Pages