Password strength #323
Comments
|
In the SD world, we've started automatically generating diceware passphrases for new user accounts. Not sure if that's appropriate for the signup flow here, but it simplifies the thinking that goes into "how strong does the password need to be": we just generate one that's strong enough. We also strongly encourage the use of password managers, and in the SD world at least we have access to a KeePass template on the Admin (and Journalist) Workstation. Reasonable to suppose that we'd encourage Admins to stick the Landing Page account credentials on their Admin Workstation, a la freedomofpress/securedrop#2131 |
|
Is it feasible to autogenerate a six-word diceware passphrase? There's a sweet
In particular I don't love the email requirement for signups, since email is brittle and a 20th century technology. So chalk this up as a cool idea that is likely overengineered. As a fallback we can simply set strength requirement like "minimum of 16 characters". I'm not a fan of strict requirements about character sets and all that—it's maddening. From a practical standpoint, the 2FA requirement vastly improves the situation by reducing the threat of account compromise. |
|
I think the email requirement is unfortunately necessary for password resets :( Diceware is a cool idea (as we do this on SecureDrop) - another also good alternative is using this library which is really awesome and easy to integrate (see example from lucyparsons/OpenOversight#168). |
|
I really like the idea of using zxcvbn or similar to determine password strength and having a minimum cutoff. |
|
The zxcvbn idea is great! Let's go with that. |
|
Closed via #366 |
For FPF:
Decide what password strength requirements should be
For LW:
Implement those decisions :)
The text was updated successfully, but these errors were encountered: