Users can use insecure passwords. This is one way to require that users choose better passwords. It uses the zxcvbn library in python. This can not be done using a detector. A detector can only see the encrypted/hashed password. The password strength can only be checked using the unencrypted/unhashed password.
An implementation of the zxcvbn library is available in javascript. The user.item.html template can be modified to add real time feedback for the user as they enter a password.
This describes how to add a back end check so the user's password change is rejected if not good enough.
To do this we monkeypatch the roundup.password.Password.setPassword method.
Before doing this we need to install the zxcvbn library. Install it using:
- your system's package manager
pip install zxcvbn
- or you can install it just for your tracker by downloading the it from
https://github.com/dwolfhub/zxcvbn-python. Then install the files in your tracker's lib/zxcvbn directory
Once zxcvbn is installed, add this to your tracker's interfaces.py file (create if needed).
1 ## Test password strength
2 import roundup.password as password
3 from roundup.exceptions import Reject
4 from zxcvbn import zxcvbn
5
6 # monkey patch the setPassword method with this method
7 # that checks password strength.
8 origPasswordFunc = password.Password.setPassword
9 def mpPasswordFunc(self, plaintext, scheme, config=None):
10 """ Replace the password set function with one that
11 verifies that the password is complex enough. It
12 has to be done at this point and not in an auditor
13 as the auditor only sees the encrypted password.
14 """
15 results = zxcvbn(plaintext)
16 if results['score'] < 3:
17 l = []
18 map(l.extend, [[results['feedback']['warning']], results['feedback']['suggestions']])
19 errormsg = " ".join(l)
20 raise Reject ("Password is too easy to guess. " + errormsg)
21 return origPasswordFunc(self, plaintext, scheme, config=config)
22
23 password.Password.setPassword = mpPasswordFunc
Now when a user tries to change their password it is checked for strength and an error is raised if it isn't strong enough. Passing the user_inputs wordlist when calling zxcvbn to include username and other properties of the user e.g. title, organization .... is left as an exercise for the user.
This technique can be adapted for other password strength checkers if zxcvbn is not to your liking.