Project

General

Profile

Actions
Copy link

Feature #80792

open

Password strength meter for BE Login

Added by Anja Leichsenring about 7 years ago. Updated over 1 year ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Candidate for Major Version
Start date:
2017-04-10
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Needs Decision

Description

Provide a strength meter for password fields to give the user a hint about the password he chooses.

Related issues 4 (1 open3 closed)

Related to TYPO3 Core - Bug #66459: feuser has no validation settings on password apart of minLengthClosed2015-04-16

Actions
Related to TYPO3 Core - Bug #56004: Retain username when entering an insecure passwordClosed2014-02-16

Actions
Related to TYPO3 Core - Epic #97387: Configurable Password PoliciesUnder ReviewTorben Hansen2022-04-15

Actions
Blocked by TYPO3 Core - Feature #80791: Hide Password while typingClosed2017-04-10

Actions
Actions
Copy link
 #1

Updated by Riccardo De Contardi about 7 years ago

  • Related to Bug #66459: feuser has no validation settings on password apart of minLength added
Actions
Copy link
 #2

Updated by Riccardo De Contardi about 7 years ago

  • Related to Bug #56004: Retain username when entering an insecure password added
Actions
Copy link
 #3

Updated by Benni Mack almost 7 years ago

  • Target version changed from 8 LTS to Candidate for Major Version
Actions
Copy link
 #4

Updated by Susanne Moog about 4 years ago

  • Sprint Focus set to Needs Decision
Actions
Copy link
 #5

Updated by Susanne Moog about 4 years ago

  • Category set to Security
Actions
Copy link
 #6

Updated by Oliver Hader over 1 year ago

  • Related to Epic #97387: Configurable Password Policies added
Actions
Copy link
 #7

Updated by Oliver Hader over 1 year ago

  • Blocks deleted (Feature #80793: provide configurable password policies)
Actions
Copy link
 #8

Updated by Oliver Hader over 1 year ago

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler contains great explanation on how to measure password strength and why for instance the NIST approach is not accurate (around minute 16:00+ in the video).

That approach includes weak word lists (which would have to be adjusted by use for different languages if it comes to names and umlaut characters) as well as keyboard maps (which would have to be extended as well for a bunch of European layouts) - if not adjusted, results probably are still accurate (but could be better of course). For instance we might to add joh316 to those lists.

Given that training data might become big (~ 1 MB for the JavaScript part), using a server-side API approach (custom controller) might solve it and avoids cluttering the JavaScript client space.

JavaScript Implementation (Coffee Script, but transformable to TypeScript)

https://github.com/dropbox/zxcvbn
https://github.com/dropbox/zxcvbn/tree/master/data-scripts (generators for training data)

PHP Implementation

https://github.com/bjeavons/zxcvbn-php
https://github.com/bjeavons/zxcvbn-php/tree/master/data-scripts (generators for training data)

Scoring

Demo: https://lowe.github.io/tryzxcvbn/

Example

const result = zxcvbn(password);
if (result.guesses < 1000) {
  // too weak
}
if (result.score < 2) { // range from 0-4
  // too weak
}
Actions
Copy link

Also available in: Atom PDF