Problem/Motivation
Password cracking tools contain lists of commonly used passwords, we should warn users that some passwords are too weak to be of use. Motivation is that currently the password "password" is ranked as fair by the checker tool.
Proposed resolution
This patch integrates Drupal with a third party (MIT licensed) library for password strength checking. The library is zxcvbn.
Remaining tasks
- Needs security team review
- Needs signoff from someone to assert the inclusion of the new JS library into core - 680k (320k gzipped)
User interface changes
Password strength meter will reflect a better approximation of how long it would take to brute force the password, e.g. the following things will be checked:
- English words, with a frequency list skewed toward American usage and spelling
- Names and surnames, coming from the US census
- A few common keyboard layout based passwords (eg QWERTY)
- If the user's email address is used
- If the user's email address name part is used
- If the user's email address domain part is used
- If the user's username is used
API changes
n/a
Related Issues
Original report by webkenny
So while at the code sprint today I noticed when you type the word, "password", as your password it marks that as "Fair" - Luckily I happened to be sitting with Jakub and greggles was in earshot so we thought maybe based on this report to the security team (See http://drupal.org/node/454014#comment-5743806), it might be worth checking for a list of common words.