-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Score-based password strength verification #2569
Comments
[Triage] Hi @willyborankin, thank you for filing this issue. We will add some feedback soon. |
Hi, since this issue is still open, I'd like to add some feedback here. While this is a useful feature, it is a bit problematic for our use case. |
Closing as #2557 merged/released. As to disabling this, if those 2 config values are not provided, this check should not come into play (@willyborankin please confirm) |
What solution would you like?
The current password verification based on pattern marching is not so good as it could be.
To improve it I suggest to use
zxcvbn4j
which is a port dropboxzxcvbn
library which measuresthe strength of the password.
To implement it such settings need to be added to the plugin configuration:
plugins.security.restapi.password_min_length
- minimum password length, default and minimum is8
plugins.security.restapi.password_score_based_validation_strength
- the strength of the valid passwordPossible values:
fair
- very guessable password: protection from throttled online attacksgood
- somewhat guessable password: protection from unthrottled online attacksstrong
- safely unguessable password: moderate protection from offline slow-hash scenariovery_strong
- very unguessable password: strong protection from offline slow-hash scenarioBy default the plugin always checks strength of the password and its minimal length together with the regular expression if its set.
The current implementation of checking username similarity will be changed in favor of
zxcvbn
similarity by addingusername
to theuser_inputs
dictionary which means that usernames and passwords like:Andrey_Pleskach
Andrey_Pleskach_asdsadas!2e23
andrey_pleskach
asdsadas!2e23-Andrey_Pleskach
Additional notes: as @peternied the performance of the library
~5-20ms
which is a good trade off since update and set a new user password is not so common operation compare to get list of roles, roles mapping etc.The calculation time for passwords around
100
characters is~100ms
as result to avoid of performance degradation for big passwords I suggest to set max length of the password to100
.The text was updated successfully, but these errors were encountered: