Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add back password strength meter #528

Closed
matthew-white opened this issue Jan 21, 2022 · 9 comments · Fixed by #752
Closed

Add back password strength meter #528

matthew-white opened this issue Jan 21, 2022 · 9 comments · Fixed by #752
Assignees

Comments

@matthew-white
Copy link
Member

matthew-white commented Jan 21, 2022

In #526, the password strength meter is removed because the package we use doesn't support Vue 3 (apertureless/vue-password-strength-meter#54). v1.4 won't ship with a password strength meter, but I think we will add one back in v1.5.

When we add it back, we'll have to decide what kind of password strength meter to use. I think we have two main options:

  • Use a dictionary approach.
    • The main issue here is that zxcvbn is no longer maintained. However, there is a fork of it rewritten in TypeScript that we could look into (https://github.com/zxcvbn-ts/zxcvbn).
    • I'm not sure that there's a Vue component out there that uses this fork, but we could probably write our own without too much difficulty.
    • How does this interact with internationalization? Would we want to use dictionaries for languages other than English?
  • Use a pattern-based approach.
    • Given that our only requirement for passwords/passphrases is that they are at least 10 characters long, this approach might work fine for our needs.
    • This approach is ligher-weight insomuch as it doesn't require the user to download a large dictionary.
    • One component to look into: https://github.com/miladd3/vue-simple-password-meter
@matthew-white

This comment was marked as resolved.

@lognaturel
Copy link
Member

I did some reading on password strength meters. Seems that the general consensus is that they're all nonsense. However, because Psychology™️ people come up with stronger passwords when they see a meter, no matter what it says.

@matthew-white
Copy link
Member Author

Ah that's very interesting. Knowing that, I think I'd lean more strongly toward the simpler pattern-based approach.

@lognaturel
Copy link
Member

lognaturel commented Jan 28, 2022

Citation needed: this NDSS2014 paper analyzes password meters out in nature and shows how different they are. This 2020 paper finds the same (they make some recommendations but I don't know how practical they are); this CHI paper from 2013 found that people improved password strength when presented by meters if they thought the site was important.

@matthew-white

This comment was marked as resolved.

@matthew-white
Copy link
Member Author

We ended up removing the password strength meter in a separate PR, #586. v1.5 won't ship with a password strength meter, but we want to add one back in v1.6.

@matthew-white matthew-white added this to the v2023.1 milestone Nov 16, 2022
@matthew-white matthew-white moved this to 🕒 backlog in ODK Central Dec 20, 2022
@matthew-white matthew-white removed this from the v2023.1 milestone Jan 24, 2023
@matthew-white matthew-white self-assigned this Feb 7, 2023
@matthew-white matthew-white moved this from 🕒 backlog to ✏️ in progress in ODK Central Feb 11, 2023
matthew-white added a commit that referenced this issue Mar 1, 2023
matthew-white added a commit that referenced this issue Mar 1, 2023
@matthew-white
Copy link
Member Author

matthew-white commented Mar 2, 2023

Notes for the QA team:

  • A password strength meter can be found on three pages:
    1. The "Edit Profile" page
    2. The "Set Password" page (after starting the password reset process)
    3. The project settings page, after clicking "Enable encryption…"
  • The strength meter evaluates a password based only on its length. A password must be a minimum of 10 characters. For 10 characters, the password strength meter fills 3/5 bars and is an orange color. As the password length increases, more bars are filled, and the color becomes more green.

@github-project-automation github-project-automation bot moved this from ✏️ in progress to ✅ done in ODK Central Mar 2, 2023
@dbemke
Copy link

dbemke commented Mar 2, 2023

Tested with success!

@srujner
Copy link

srujner commented Mar 2, 2023

Tested with success!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: ✅ done
Development

Successfully merging a pull request may close this issue.

4 participants