Comments (7)
@jdhoek I haven't forgotten about this, my day job just got really crazy for the past couple weeks, and now i've got a couple weeks of vacation planned where i'm not going to be near a computer. I'll dedicate a little time to knock this out once back.
from nbvcxz.
@jdhoek Was wondering on this, should we just leave it at a single warning for the longest match (as it is currently), but add additional suggestions based on the other match types the user hits?
from nbvcxz.
With a password candidate like apples1980
I can imagine wanting to present the feedback to the user something like this:
This password is too weak ← Often this will be represented by some form of bar. I intend to base this on the entropy number returned in the feedback.
ℹ️ Add a few more words for a stronger password
ℹ️ Instead of a password, create a passphrase — it's okay to include spaces and punctuation as well
(Well, with friendlier formatting obviously, but I'll just use these GitHub icons for the example.)
So basically relevant warnings and relevant suggestions; although the latter tend to boil down to 'add more words'. By providing all warnings at once, the user gets positive feedback as they improve their password (the warnings disappear one by one). So you would get a list of warnings in the feedback if multiple matches are found (except for BruteForceMatch
I guess?).
If only one warning is returned, the user might fix one issue (replacing 'apples' with 'snozberries') and frustratingly have the next one pop up (don't use years).
Having the 'secondary' warnings as a suggestion would be a bit weird, because they would go from a suggestion to a warning once the primary warning is resolved.
I hope this helps.
from nbvcxz.
The issue I see with returning all feedback all the time, is in passwords where a few patterns are hit, you'll hit a point where you are just returning a wall of text. Also, there is nothing inherently wrong about using any of the match types within a password, other than if the password as a whole is not deemed to have enough entropy. That is why after getting it to that point (the minimum entropy that is), the feedback doesn't keep returning more suggestions or warnings.
I'm thinking keeping it to the longest portion of the password for the warning, and adding suggestions for the other reasons is a good compromise. It also cuts down on API changes, and how much code has to be touched. It also does give the user feedback that we know about those other portions of their password, and gives them suggestions on how to improve it.
Thoughts?
from nbvcxz.
The issue I see with returning all feedback all the time, is in passwords where a few patterns are hit, you'll hit a point where you are just returning a wall of text.
Agreed, that's not helpful.
I'm thinking keeping it to the longest portion of the password for the warning, and adding suggestions for the other reasons is a good compromise.
What does this mean for consumers of the library? The warning would be something you'd always show I suppose (provided the minimum entropy has not been met), but what about the suggestions? Are all equally relevant, or can they be sorted in decreasing order of relevancy?
If the user acts on the warning ('apples is a commons password', so: apples1980
→ snozberries1980
) then if I understand correctly, if the minimum entropy is not met, the 'don't use a year' suggestion turns into a warning?
It looks like the warning/suggestion division may not be as clear-cut, but perhaps that is not so bad? Instead of a single warning and unordered list of suggestions, might it be useful to return an ordered lists of weighted suggestions?
That is, all suggestions get a relevance
value (perhaps a double or float between 0.0
and 1.0
), and Feedback
would get a getter method that returns List<Suggestion>
:
public class Suggestion implements Comparable<Suggestion>
{
String messageKey;
String translatedMessage;
String token; // The part of the candidate password relevant to this suggestion?
float relevance;
// Implement Comparable<Suggestion> to order by relevance, descending.
}
The relevance of a suggestion could be determined in part by using the length of the match (so the longest match will have a high relevance) and any other heuristics you care to put in (perhaps emphasize commons password warnings).
Consumers of the API can choose to show only the top n
of the list as feedback (perhaps two or three) so the user is never overwhelmed with suggestions. Consumers can also choose to emphasize highly relevant (e.g., relevance > 0.8
) suggestions (effectively treating them as warnings) by using different styling.
Any consumers who would like more details (automated password analysis maybe?) can just use the complete list of suggestions.
That would mean an API change though, but I wouldn't worry to much about doing that (just version releases accordingly).
Anyone who really wants the one warning, multiple suggestions strings can just take the 'heaviest' suggestion as warning and use the rest as is (you could even leave the current methods as @Deprecated
and do just that).
The benefit of this approach is that you can easily introduce improved and/or additional suggestions in the future without breaking the API again, and if it turns out that certain suggestions are more relevant than others, you can just tweak the algorithm assigning their relevance
.
Edit: added messageKey
field to Suggestion
class.
from nbvcxz.
By all means, take your time!
from nbvcxz.
Once I got back from Vacation, of course work got really crazy. Going to start looking at this again.
from nbvcxz.
Related Issues (20)
- Define a stable automatic module name HOT 7
- Is this library thread-safe? HOT 2
- certain bad passwords make it through the filter HOT 7
- Multiple simultaneous connections cause heap dump HOT 8
- Please make a new release HOT 1
- zxcvbn compatibility HOT 9
- High deviation for a certain password HOT 2
- acsploit HOT 4
- English wordlist too short / not original zxcvbn list? HOT 2
- "very common password" feedback for a strong password HOT 2
- ConfigurationBuilder.getDefaultXYZ returns internal instances HOT 4
- Too high estimates when finding words in dictionaries HOT 1
- StackOverflowError when generating estimate HOT 6
- Too high score for special characters HOT 2
- Add additional helper to calculate the minimum entropy
- Add support for HIBP password API HOT 2
- Wrong entropy computing HOT 1
- Fix bruteforce output HOT 2
- Add ability to run in fixed-time HOT 3
- "secret secret secret" has basic score 4 (very unguessable) with estimated 130 billion guesses HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nbvcxz.