Commit Graph

12 Commits

Author SHA1 Message Date
Greg Price a116303604 passwords: Express the quality threshold as guesses required.
The original "quality score" was invented purely for populating
our password-strength progress bar, and isn't expressed in terms
that are particularly meaningful.  For configuration and the core
accept/reject logic, it's better to use units that are readily
understood.  Switch to those.

I considered using "bits of entropy", defined loosely as the log
of this number, but both the zxcvbn paper and the linked CACM
article (which I recommend!) are written in terms of the number
of guesses.  And reading (most of) those two papers made me
less happy about referring to "entropy" in our terminology.
I already knew that notion was a little fuzzy if looked at
too closely, and I gained a better appreciation of how it's
contributed to confusion in discussing password policies and
to adoption of perverse policies that favor "Password1!" over
"derived unusual ravioli raft".  So, "guesses" it is.

And although the log is handy for some analysis purposes
(certainly for a graph like those in the zxcvbn paper), it adds
a layer of abstraction, and I think makes it harder to think
clearly about attacks, especially in the online setting.  So
just use the actual number, and if someone wants to set a
gigantic value, they will have the pleasure of seeing just
how many digits are involved.

(Thanks to @YJDave for a prototype that the code changes in this
 commit are based on.)
2017-10-08 15:48:44 -07:00
Greg Price 11e767f5b1 passwords: Revise our password-quality logic for clarity.
This should be a pure refactor: we're just removing or tightening
some obsolete comments, and rearranging some logic to make it
easier to follow.
2017-10-08 15:48:44 -07:00
Pweaver (Paul Weaver) d3ffc81726 Enable Hot Module Replacement in webpack.
This allow the webbpack dev server to properly reload JavaScript modules
while running in dev without restarting the server. We need to connect
to webpack-dev-server directly because SockJS doesn't support more than
one connection on the same host/port.
2017-07-18 11:02:05 -07:00
Steve Howell ff80ba4f99 autofocus: Remove unneeded `$(...)[0]` idiom.
Using the first element of a jQuery collection is either
unnecessary or extremely brittle.
2017-07-09 08:31:22 -04:00
Vishnu Ks fcd944447e common.js: Don't set default password quality/length in frontend.
The min quality/length values are always available via data
attributes. So there is no point of specefying a default value
in common.js.
2017-07-07 14:48:06 -07:00
Vishnu Ks f273e83a85 portico: Explain why password is weak to user. 2017-07-07 14:48:06 -07:00
Harshit Bansal 6615f2f2e8 common.js: Migrate `common.js` module to use IIFE module style.
This module was exposing its functions as globals. This PR fixes
it use the IIFE module style that we use in our other modules.
2017-06-22 19:06:32 -04:00
Bojidar Marinov 786dd0fca4 auth: Make min password length and strength configurable.
This adds some configuration options to settings.py, namely
PASSWORD_MIN_LENGTH and PASSWORD_MIN_QUALITY, which control
when the frontend validator invalidates the password.

Closes #2628
2017-01-10 04:55:41 -08:00
Rafid Aslam 7856217a63 Migrate JS modules to CommonJS style.
Closes #1488.
2016-12-07 16:11:52 -08:00
Rafid Aslam 0951b838ca deps: Update zxcvbn to 4.4.1
Update zxcvbn to 4.4.1, and change `crack_time` to
`crack_times_seconds` because `crack_time` has been changed to
`crack_times_seconds` in 4.4.1.
2016-12-06 17:51:33 -08:00
Tim Abbott 5a320db3c1 Add curly braces for all javascript if statements lacking them.
(imported from commit 32c7643d1a6ecdfaf634424d217938c8a368dade)
2013-08-01 11:47:54 -04:00
Tim Abbott 3bba0cc927 Move zephyr/static to just static.
It's not really a part of the server (aka the rest of zephyr/).

(imported from commit 27f6b6b064938ad927075a68d873e4b68710d279)
2013-07-29 12:11:26 -04:00