Do not run zxcvbn on long passwords #34

ghost · 2018-05-06T17:26:48Z

As I know from personal experience, long passwords result in the web-page hanging due to strength estimation.

Lemmmy · 2018-05-06T17:55:32Z

I would consider placing this limit as 64 chars instead, as you can get pretty insecure passwords by combining 3 dictionary words that are still longer than 24 chars.

Lemmmy · 2018-05-06T18:00:39Z

According to this issue and a few related issues, the issues only start to appear in the order of 256+ chars, so this limit could be placed around 128 safely, while still ensuring the security of passwords is properly checked.

ghost · 2018-05-06T20:00:26Z

Changed to 128

Lignum · 2018-05-06T20:12:50Z

src/js/modal/login-wallet/modal.js

+			} else {
+				let strength = zxcvbn(password);
+				let score = strength.score;
+			}


This can't be right. let variables do not exist outside of their scope like vars do. I think you mean:

const score = password.length >= 128 ? 5 : zxcvbn(password).score;

Ahhh you beat me

Lignum's review is better

Do not run zxcvbn on long passwords

a493ba2

Change to 128

61a56bd

Lignum suggested changes May 6, 2018

View reviewed changes

I suck at JS

3a338f8

Lemmmy merged commit 9d6b947 into tmpim:master May 6, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do not run zxcvbn on long passwords #34

Do not run zxcvbn on long passwords #34

ghost commented May 6, 2018

Lemmmy commented May 6, 2018 •

edited

Loading

Lemmmy commented May 6, 2018

ghost commented May 6, 2018

Lignum May 6, 2018

Lemmmy May 6, 2018

Do not run zxcvbn on long passwords #34

Do not run zxcvbn on long passwords #34

Conversation

ghost commented May 6, 2018

Lemmmy commented May 6, 2018 • edited Loading

Lemmmy commented May 6, 2018

ghost commented May 6, 2018

Lignum May 6, 2018

Choose a reason for hiding this comment

Lemmmy May 6, 2018

Choose a reason for hiding this comment

Lemmmy commented May 6, 2018 •

edited

Loading