Validate Complexity of Passwords #6
Comments
|
I'd like to indicate password strength client side too... we'll need to look into a plugin for this. |
|
I think Dropbox has a js library for it. Sent from my iPhone
|
|
Nice! |
|
Sounds great from my end @demianbrecht ! I have not yet started on the design, so the best way to build the templates is to make them functional only (i.e. don't worry at all about how it looks at all). Once your PR is merged, I will come through and apply the appropriate styling. |
|
The status is they still need to be written. That PR is old and it's against a version of Warehouse before I rewrote it in Pyramid so it's not directly usable. |
|
While working on the registration flow, I took a quick look at zxcvbn. I was hoping that the Python port would be consistent with the initial JS implementation. Sadly, that doesn't seem to be the case (dropbox/python-zxcvbn#14) and would lead to inconsistencies between server and client side, which wouldn't be so hot. A few potential paths I can think of:
I think I'd favor either 2 or 3 depending on which way the wind blew. |
|
@nlhkabu until there's a matching fe/be implementation, [here's what's recently been added] for password strength. Should be trivial to implement something matching in JS as a stop gap until a better replacement is found. |
|
@demianbrecht @dstufft @nlhkabu Why are we concerned about server-side password strength evaluation? We could use only the JavaScript library, and validate password strength before allowing the user to submit the form, and we could do nothing server-side. Of course, the viability of this option depends on whether we're concerned about the potential vulnerability (which I don't think we are): the determined user could theoretically use the JavaScript console or even just What's the opinion on this? Why do we need to have password strengths stored if they could be easily computed and re-computed with JavaScript? |
Because people don't only interact with Warehouse via a browser. Even so, JavaScript should never be the only form of verification. Even someone using a browser can modify the request before it is actually sent, which will bypass any JavaScript validation. Providing JS validation is merely a UX enhancement. Providing server-side validation is providing the actual service. |
|
It’s not merely a UX enhancement, it enforces security for the vast On Sat, Jul 2, 2016 at 9:07 PM Ian Cordasco [email protected]
|
Very strongly :) Without sufficient password strength on the server, as Ian mentioned, we leave users open to passwords that aren't sufficiently strong, which reduces user security. Because of the reduction of user security, it increases the risk to packages managed by a given user. Package integrity and security are of paramount importance, so everything that can be done to increase user-level security is a Good Thing. |
|
Right. Makes sense. I keep forgetting that this is a service under which On Sat, Jul 2, 2016 at 9:20 PM Demian Brecht [email protected]
|
|
I'm going to drop this out of the shut down milestone since this is implemented for the server side validation (which is the actual important one) and the only thing left is to implement it client side (which is just a UX enhancement). |
|
Given that the UX enhancement is what the end user sees and understands, I'm adding this back into the "shut down legacy PyPI" milestone. :) |
Ensure that user passwords always match some level of password complexity/strength.
The text was updated successfully, but these errors were encountered: