api.webmaker.org
api.webmaker.org copied to clipboard
mozilla
Consider using password strength test instead of specific rules
I was looking around validation stuff the other day and found https://github.com/dropbox/zxcvbn, which uses a bunch of rules that get converted into a generic indicator of password strength rather than a single rule set. The output looks like this:
result.entropy # bits
result.crack_time # estimation of actual crack time, in seconds.
result.crack_time_display # same crack time, as a friendlier string:
# "instant", "6 minutes", "centuries", etc.
result.score # [0,1,2,3,4] if crack time is less than
# [10**2, 10**4, 10**6, 10**8, Infinity].
# (useful for implementing a strength bar.)
result.match_sequence # the list of patterns that zxcvbn based the
# entropy calculation on.
result.calc_time # how long it took zxcvbn to calculate an answer,
# in milliseconds.
and appears to users like this:
It seems like this would be a better user experience for helping people create strong passwords, what do you think?
More info here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
This would definitely solve the problem I was describing in that issue!
I've thrown together what I think is a working version of it at matthewsot/id.webmaker.org (see https://github.com/matthewsot/id.webmaker.org/commit/62aeb4614add43aaac38b4a9dc9dd60739704046) though I have close to zero experience with React/Node and am not able to test whether it actually works (it shows the strength meter, but I don't have the other parts set up to test if it will let you sign up with the validated password).
I'd really love to see this get implemented in Webmaker, as the current password requirements (IMO) are still far too stringent for a classroom environment. Any idea how much more work it would take to get this (or a similar solution) to the point where it can be used for Webmaker?
@jbuck - definitely, submitted: https://github.com/mozilla/id.webmaker.org/pull/388 :)