Tryton - Issues

 

Issue6379

Title Add some constraints on password
Priority feature Status in-progress
Superseder Nosy List ced, nicoe, pokoli, reviewbot
Type behavior Components trytond, web_user
Assigned To ced Keywords review
Reviews 28091002
View: 28091002

Created on 2017-03-20.13:17:38 by ced, last changed by reviewbot.

Messages
review28091002 updated at https://codereview.tryton.org/28091002/#ps60001
review28091002 updated at https://codereview.tryton.org/28091002/#ps40001
review28091002 updated at https://codereview.tryton.org/28091002/#ps20001
review28091002 updated at https://codereview.tryton.org/28091002/#ps1
msg32611 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-03-20.13:17:37
I think Jeff Atwood has a good analysis about password rules [1].
And I think he is right about adding length rule.
About the common password check, it can be difficult to define what are the common password. But we could allow to configure a list of such password in a plain text file and load it into a set in memory.
For the entropy, we could simply check that len(set(password))/len(password) > <ratio from configuration>. I guess 0.75 is already a good one.
And we can forbid password equals to login, name, email and "tryton".

[1] https://blog.codinghorror.com/password-rules-are-bullshit/
History
Date User Action Args
2017-03-23 12:09:03reviewbotsetmessages: + msg32700
2017-03-21 14:58:21reviewbotsetmessages: + msg32628
2017-03-21 14:28:17reviewbotsetmessages: + msg32626
2017-03-21 00:58:17reviewbotsetnosy: + reviewbot
messages: + msg32619
2017-03-21 00:42:55cedsetstatus: testing -> in-progress
2017-03-21 00:42:49cedsetstatus: in-progress -> testing
reviews: 28091002
keyword: + review
2017-03-21 00:38:35cedsetcomponent: + web_user
2017-03-20 13:54:56nicoesetnosy: + nicoe
2017-03-20 13:19:06pokolisetnosy: + pokoli
2017-03-20 13:17:38cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)