brave-browser
brave-browser copied to clipboard
brave
Add a password strength meter to Wallet
In order to help users avoid known-bad passwords and give them an rough indication of how hard their password would be to crack, we should have a password strength meter during the setup phase.
This one from Dropbox is quite good: https://github.com/dropbox/zxcvbn
@fmarier, has zxcvbn already been formally audited by the security team or do we need to request one?
@josheleonard It already ships with Chromium: https://source.chromium.org/chromium/chromium/src/+/main:third_party/zxcvbn-cpp/
We partially updated this in onboarding V2 where this now measures relative strength based on length of password (low is 8, medium is 12, high is 16). I think the only other thing we'd need to do here is add in the password compromise checks which could be integrated with the PIR protocol once we have more certainty on it during the research phase of things.
What's nice about the strength meter in zxcvbn is that it also has a built-in DB of really bad passwords:
Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
So you get a score mostly based on length, but then you presumably get a terrible score if you hit one of these easily-guessable passwords.
Hmm, I see that's actually quite useful and now that I think about it there's nothing precluding us from using a strength meter that includes zxcvbn and PIR protocol combined with the length check we just recently added in.
Hello, I am in a Master's degree in cybersecurity and my final project with my group is to contribute to some security issues on opensource projects, i would like to contribute to this issue, is it still open/available ? Thank u.
Yes this one is still open. @fmarier @josheleonard @darkdh or @yrliou do you have any specific details about how we want this to be handled? For example, do we want this password check to be done down in the core code or are we good keeping this in the UI logic?
@kdenhartog, this should probably be handled by core so we can share the logic across platforms
Thank you for your answers. To be honest the Brave architecture is not easy. But if I understood correctly, you would like to use [zxcvbn], for that it would be necessary to create new .cc and .h files which will include functions of use [zxcvbn] to then use them in files of type use-password-strength.ts ... Are there resources that explain the overall architecture of the project please ?
https://www.chromium.org/developers/how-tos/getting-around-the-chrome-source-code - describes directory structure of the chromium project. We typically try to adhere to this type of structure in brave-core as well. https://www.chromium.org/developers/design-documents/multi-process-architecture - describes high level chromium architecture which we also follow.
At a high level we use https://github.com/brave/brave-browser to integrate https://github.com/brave/brave-core with the chromium code base so that it's buildable. More information on getting a developer environment setup can be found here: https://github.com/brave/brave-browser/blob/master/README.md
In the case of this specific work, you'd likely want to implement the password checks in the https://github.com/brave/brave-core/blob/master/components/brave_wallet/browser/password_encryptor.cc file, and then expose the functionality over mojom via https://github.com/brave/brave-core/blob/master/components/brave_wallet/common/brave_wallet.mojom and finally consume the new function exposed over mojo so you can consume it inside https://github.com/brave/brave-core/blob/master/components/brave_wallet_ui/components/shared/password-input/password-strength-bar.tsx
This definitely isn't the easiest first ticket to take on, but it is possible if you're up for learning a few pre-requisite things about the project first.