mirror of
https://github.com/zulip/zulip.git
synced 2025-11-04 05:53:43 +00:00
a116303604
The original "quality score" was invented purely for populating our password-strength progress bar, and isn't expressed in terms that are particularly meaningful. For configuration and the core accept/reject logic, it's better to use units that are readily understood. Switch to those. I considered using "bits of entropy", defined loosely as the log of this number, but both the zxcvbn paper and the linked CACM article (which I recommend!) are written in terms of the number of guesses. And reading (most of) those two papers made me less happy about referring to "entropy" in our terminology. I already knew that notion was a little fuzzy if looked at too closely, and I gained a better appreciation of how it's contributed to confusion in discussing password policies and to adoption of perverse policies that favor "Password1!" over "derived unusual ravioli raft". So, "guesses" it is. And although the log is handy for some analysis purposes (certainly for a graph like those in the zxcvbn paper), it adds a layer of abstraction, and I think makes it harder to think clearly about attacks, especially in the online setting. So just use the actual number, and if someone wants to set a gigantic value, they will have the pleasure of seeing just how many digits are involved. (Thanks to @YJDave for a prototype that the code changes in this commit are based on.)
79 lines
2.3 KiB
JavaScript
79 lines
2.3 KiB
JavaScript
// This reloads the module in development rather than refreshing the page
|
|
if (module.hot) {
|
|
module.hot.accept();
|
|
}
|
|
|
|
var common = (function () {
|
|
|
|
var exports = {};
|
|
|
|
exports.status_classes = 'alert-error alert-success alert-info';
|
|
|
|
exports.autofocus = function (selector) {
|
|
$(function () {
|
|
$(selector).focus();
|
|
});
|
|
};
|
|
|
|
// Return a boolean indicating whether the password is acceptable.
|
|
// Also updates a Bootstrap progress bar control (a jQuery object)
|
|
// if provided.
|
|
//
|
|
// Assumes that zxcvbn.js has been loaded.
|
|
//
|
|
// This is in common.js because we want to use it from the signup page
|
|
// and also from the in-app password change interface.
|
|
exports.password_quality = function (password, bar, password_field) {
|
|
// We load zxcvbn.js asynchronously, so the variable might not be set.
|
|
if (typeof zxcvbn === 'undefined') {
|
|
return undefined;
|
|
}
|
|
|
|
var min_length = password_field.data('minLength');
|
|
var min_guesses = password_field.data('minGuesses');
|
|
|
|
var result = zxcvbn(password);
|
|
var acceptable = (password.length >= min_length
|
|
&& result.guesses >= min_guesses);
|
|
|
|
if (bar !== undefined) {
|
|
var t = result.crack_times_seconds.offline_slow_hashing_1e4_per_second;
|
|
var bar_progress = Math.min(1, Math.log(1 + t) / 22);
|
|
|
|
// Even if zxcvbn loves your short password, the bar should be
|
|
// filled at most 1/3 of the way, because we won't accept it.
|
|
if (!acceptable) {
|
|
bar_progress = Math.min(bar_progress, 0.33);
|
|
}
|
|
|
|
// The bar bottoms out at 10% so there's always something
|
|
// for the user to see.
|
|
bar.width(((90 * bar_progress) + 10) + '%')
|
|
.removeClass('bar-success bar-danger')
|
|
.addClass(acceptable ? 'bar-success' : 'bar-danger');
|
|
}
|
|
|
|
return acceptable;
|
|
};
|
|
|
|
exports.password_warning = function (password, password_field) {
|
|
if (typeof zxcvbn === 'undefined') {
|
|
return undefined;
|
|
}
|
|
|
|
var min_length = password_field.data('minLength');
|
|
|
|
if (password.length < min_length) {
|
|
return i18n.t('Password should be at least __length__ characters long', {length: min_length});
|
|
}
|
|
return zxcvbn(password).feedback.warning || i18n.t("Password is too weak");
|
|
};
|
|
|
|
return exports;
|
|
|
|
}());
|
|
|
|
if (typeof module !== 'undefined') {
|
|
module.exports = common;
|
|
}
|