Commit Graph

9 Commits

Author SHA1 Message Date
Anders Kaseorg b0be0d5285 settings_account: Use webpack asynchronous require to load zxcvbn.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-07-02 16:50:03 -07:00
Anders Kaseorg 23cd064c86 webpack: Elide node_modules when importing JS modules.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-06-26 16:49:32 -07:00
Steve Howell 42435db492 Add run_test helper for individual tests.
This run_test helper sets up a convention that allows
us to give really short tracebacks for errors, and
eventually we can have more control over running
individual tests.  (The latter goal has some
complications, since we often intentionally leak
setup in tests.)
2018-05-15 08:24:44 -07:00
Steve Howell 14631b8748 node tests: Use zrequire in password.js. 2017-11-08 12:24:17 -08:00
Greg Price a116303604 passwords: Express the quality threshold as guesses required.
The original "quality score" was invented purely for populating
our password-strength progress bar, and isn't expressed in terms
that are particularly meaningful.  For configuration and the core
accept/reject logic, it's better to use units that are readily
understood.  Switch to those.

I considered using "bits of entropy", defined loosely as the log
of this number, but both the zxcvbn paper and the linked CACM
article (which I recommend!) are written in terms of the number
of guesses.  And reading (most of) those two papers made me
less happy about referring to "entropy" in our terminology.
I already knew that notion was a little fuzzy if looked at
too closely, and I gained a better appreciation of how it's
contributed to confusion in discussing password policies and
to adoption of perverse policies that favor "Password1!" over
"derived unusual ravioli raft".  So, "guesses" it is.

And although the log is handy for some analysis purposes
(certainly for a graph like those in the zxcvbn paper), it adds
a layer of abstraction, and I think makes it harder to think
clearly about attacks, especially in the online setting.  So
just use the actual number, and if someone wants to set a
gigantic value, they will have the pleasure of seeing just
how many digits are involved.

(Thanks to @YJDave for a prototype that the code changes in this
 commit are based on.)
2017-10-08 15:48:44 -07:00
Vishnu Ks fcd944447e common.js: Don't set default password quality/length in frontend.
The min quality/length values are always available via data
attributes. So there is no point of specefying a default value
in common.js.
2017-07-07 14:48:06 -07:00
Vishnu Ks f273e83a85 portico: Explain why password is weak to user. 2017-07-07 14:48:06 -07:00
Joshua Pan 525cc34491 node_tests: Add test for long low-quality passwords. 2017-05-23 10:26:30 -07:00
Steve Howell b45cd5538e Add node tests for password checks. 2017-01-10 04:55:41 -08:00