Project

General

Profile

Actions

Feature #80792

open

Password strength meter for BE Login

Added by Anja Leichsenring over 7 years ago. Updated 4 months ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2017-04-10
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Provide a strength meter for password fields to give the user a hint about the password he chooses.


Related issues 5 (2 open3 closed)

Related to TYPO3 Core - Bug #66459: feuser has no validation settings on password apart of minLengthClosed2015-04-16

Actions
Related to TYPO3 Core - Bug #56004: Retain username when entering an insecure passwordClosed2014-02-16

Actions
Related to TYPO3 Core - Epic #97387: Configurable Password PoliciesUnder ReviewTorben Hansen2022-04-15

Actions
Related to TYPO3 Core - Feature #69190: Add password generator "wizard"New2015-08-19

Actions
Blocked by TYPO3 Core - Feature #80791: Hide Password while typingClosed2017-04-10

Actions
Actions #1

Updated by Riccardo De Contardi over 7 years ago

  • Related to Bug #66459: feuser has no validation settings on password apart of minLength added
Actions #2

Updated by Riccardo De Contardi over 7 years ago

  • Related to Bug #56004: Retain username when entering an insecure password added
Actions #3

Updated by Benni Mack over 7 years ago

  • Target version changed from 8 LTS to Candidate for Major Version
Actions #4

Updated by Susanne Moog over 4 years ago

  • Sprint Focus set to Needs Decision
Actions #5

Updated by Susanne Moog over 4 years ago

  • Category set to Security
Actions #6

Updated by Oliver Hader about 2 years ago

  • Related to Epic #97387: Configurable Password Policies added
Actions #7

Updated by Oliver Hader about 2 years ago

  • Blocks deleted (Feature #80793: provide configurable password policies)
Actions #8

Updated by Oliver Hader about 2 years ago

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler contains great explanation on how to measure password strength and why for instance the NIST approach is not accurate (around minute 16:00+ in the video).

That approach includes weak word lists (which would have to be adjusted by use for different languages if it comes to names and umlaut characters) as well as keyboard maps (which would have to be extended as well for a bunch of European layouts) - if not adjusted, results probably are still accurate (but could be better of course). For instance we might to add joh316 to those lists.

Given that training data might become big (~ 1 MB for the JavaScript part), using a server-side API approach (custom controller) might solve it and avoids cluttering the JavaScript client space.

JavaScript Implementation (Coffee Script, but transformable to TypeScript)

https://github.com/dropbox/zxcvbn
https://github.com/dropbox/zxcvbn/tree/master/data-scripts (generators for training data)

PHP Implementation

https://github.com/bjeavons/zxcvbn-php
https://github.com/bjeavons/zxcvbn-php/tree/master/data-scripts (generators for training data)

Scoring

Demo: https://lowe.github.io/tryzxcvbn/

Example

const result = zxcvbn(password);
if (result.guesses < 1000) {
  // too weak
}
if (result.score < 2) { // range from 0-4
  // too weak
}
Actions #9

Updated by Georg Ringer 5 months ago

Actions #10

Updated by Georg Ringer 4 months ago

  • Status changed from New to Accepted
  • Sprint Focus deleted (Needs Decision)
Actions

Also available in: Atom PDF