Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Password Strength Meter API #136

Closed
aeneasr opened this issue Dec 9, 2019 · 11 comments
Closed

Implement Password Strength Meter API #136

aeneasr opened this issue Dec 9, 2019 · 11 comments
Milestone
Incubating Release

Comments

@aeneasr
Copy link
Member

aeneasr commented Dec 9, 2019

Is your feature request related to a problem? Please describe.

The API should return a password strength ranging from 0.0 (weak) to 1.0 (strong) to support frontends with displaying a password-strength meter.
@aeneasr aeneasr added this to the v0.0.2 milestone Dec 9, 2019
@Firstyear
Copy link

I'd recommend you look at zxcvbn as it also provides good feedback on how users can improve their passwords, and has js, go, rs, py and other implementations for client and server side validation.

@aeneasr
Copy link
Member Author

aeneasr commented Dec 10, 2019

Thanks! That looks pretty good. We're already checking against HIBP to find leaked passwords, but I think preventing certain patterns (aaa) is a good idea also.

@aeneasr
Copy link
Member Author

aeneasr commented Dec 10, 2019

https://github.com/nbutton23/zxcvbn-go

@yindia
Copy link
Contributor

yindia commented Dec 11, 2019

Anyone working on this ?

@aeneasr
Copy link
Member Author

aeneasr commented Dec 11, 2019 via email

@yindia
Copy link
Contributor

yindia commented Dec 13, 2019

@aeneasr can we write it as package in ory/x so that hydra can also use this route like health route

This was referenced Dec 13, 2019
Closed
Closed
@aeneasr
Copy link
Member Author

aeneasr commented Dec 16, 2019

Hydra doesn't need this :)

@aeneasr
Copy link
Member Author

aeneasr commented Feb 19, 2020

I'm closing this because we went another route with password policies. We're using things like Levensthein Distance and HIBP API to find if a password is uncompromised and hard to guess.

@aeneasr aeneasr closed this as completed Feb 19, 2020
This was referenced Feb 19, 2020
Closed
Closed
@juliandroid
Copy link

Is it possible ory.sh/kratos/docs/concepts/security/ to be updated, since it references this ticket here?

@aeneasr
Copy link
Member Author

aeneasr commented Apr 13, 2020
edited
Loading

Right, we could probably offer a binary API that runs the password validation against e.g. { "password": ... } and returns either ok or the error. It wouldn't be a password meter in the classical sense though.

@aeneasr aeneasr reopened this Apr 13, 2020
@aeneasr aeneasr modified the milestones: v0.4.0-alpha.1, v0.5.0-alpha.1 Jun 8, 2020
@aeneasr aeneasr removed the security label Aug 20, 2020
@aeneasr aeneasr modified the milestones: v0.6.0-alpha.1, v0.7.0-alpha.1 Dec 9, 2020
@aeneasr aeneasr removed this from the v0.9.0-alpha.1 milestone Aug 17, 2021
@aeneasr
Copy link
Member Author

aeneasr commented Oct 19, 2021

I am closing this issue as it has not received any engagement from the community or maintainers in a long time. That does not imply that the issue has no merit. If you feel strongly about this issue

  • open a PR referencing and resolving the issue;
  • leave a comment on it and discuss ideas how you could contribute towards resolving it;
  • open a new issue with updated details and a plan on resolving the issue.

We are cleaning up issues every now and then, primarily to keep the 4000+ issues in our backlog in check and to prevent maintainer burnout. Burnout in open source maintainership is a widespread and serious issue. It can lead to severe personal and health issues as well as enabling catastrophic attack vectors.

Thank you to anyone who participated in the issue! 🙏✌️

@aeneasr aeneasr closed this as completed Oct 19, 2021
@zepatrik zepatrik mentioned this issue Mar 7, 2023
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Incubating Release
Development

Successfully merging a pull request may close this issue.

Route Register for password strength meter
4 participants
@Firstyear @aeneasr @juliandroid @yindia