Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add passphrase complexity feedback #5101

Closed
AaronFeickert opened this issue Jan 11, 2023 · 1 comment · Fixed by #5111
Closed

Add passphrase complexity feedback #5101

AaronFeickert opened this issue Jan 11, 2023 · 1 comment · Fixed by #5111

Comments

@AaronFeickert
Copy link
Collaborator

Currently, the only check performed on a new interactively-supplied passphrase is that it not be empty. If the user enters a weak passphrase, there is no feedback indicating this. While it should ultimately be up to the user if they wish to use a weak passphrase, there should be actionable feedback to guide the user if they wish to use a stronger passphrase.

Estimating the practical entropy of a passphrase and proving good feedback is nontrivial, but libraries like zxcvbn try their best to do so. It may be useful to score the passphrase entered by the user with such a library, use the library to present actionable feedback, and then give the user the option to choose a new passphrase if they wish.

@AaronFeickert
Copy link
Collaborator Author

This may also be a good time to introduce a change that allows empty passphrases to be used, subject to suitable feedback indicating the risk of doing so. The user may wish to store backup data with the intent of having it fail available.

stringhandler pushed a commit that referenced this issue Jan 18, 2023
Description
---
Adds wallet password complexity feedback. Allows empty passwords. Adds a warning indicating that password changing functionality is [not yet implemented](#5003). Adds tests.

Closes [issue 5101](#5101).

Motivation and Context
---
The only check on a wallet password is that it not be empty. This introduces two issues:
- The user has no feedback on the practical strength of their password.
- The user may specifically wish not to set a password for fail-available backups.

This PR uses the [zxcvbn](https://crates.io/crates/zxcvbn) password complexity library to score a password and provide actionable feedback to the user. When the user enters a new password or changes their password, feedback is displayed if applicable. This is informational; the user is free to ignore the feedback if they wish.

Further, the user is now allowed to set an empty password, which may be desired for backups that must fail available. A warning is displayed if this happens.

Finally, a warning message is displayed during the password changing process to indicate that this functionality is incomplete.

How Has This Been Tested?
---
Existing CI passes. New tests pass. Tested manually for new wallets.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant