Tryton - Issues

 

Issue6379

Title Add some constraints on password
Priority feature Status resolved
Superseder Nosy List ced, nicoe, pokoli, reviewbot, roundup-bot
Type behavior Components trytond, web_user
Assigned To ced Keywords review
Reviews 28091002,34061002
View: 28091002, 34061002

Created on 2017-03-20.13:17:38 by ced, last changed by roundup-bot.

Messages
New changeset cf1e4b899070 by C?dric Krier in branch 'default':
Add constraint on user password
http://hg.tryton.org/modules/web_user/rev/cf1e4b899070
New changeset 38f30d069d3f by C?dric Krier in branch 'default':
Add constraint on user password
http://hg.tryton.org/trytond/rev/38f30d069d3f
review28091002 updated at https://codereview.tryton.org/28091002/#ps140001
review28091002 updated at https://codereview.tryton.org/28091002/#ps120001
review34061002 updated at https://codereview.tryton.org/34061002/#ps1
review28091002 updated at https://codereview.tryton.org/28091002/#ps100001
msg33048 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-04-02.16:01:34
Ready for testing.
review28091002 updated at https://codereview.tryton.org/28091002/#ps80001
review28091002 updated at https://codereview.tryton.org/28091002/#ps60001
review28091002 updated at https://codereview.tryton.org/28091002/#ps40001
review28091002 updated at https://codereview.tryton.org/28091002/#ps20001
review28091002 updated at https://codereview.tryton.org/28091002/#ps1
msg32611 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-03-20.13:17:37
I think Jeff Atwood has a good analysis about password rules [1].
And I think he is right about adding length rule.
About the common password check, it can be difficult to define what are the common password. But we could allow to configure a list of such password in a plain text file and load it into a set in memory.
For the entropy, we could simply check that len(set(password))/len(password) > <ratio from configuration>. I guess 0.75 is already a good one.
And we can forbid password equals to login, name, email and "tryton".

[1] https://blog.codinghorror.com/password-rules-are-bullshit/
History
Date User Action Args
2017-04-03 17:06:02roundup-botsetmessages: + msg33077
2017-04-03 17:05:33roundup-botsetstatus: testing -> resolved
nosy: + roundup-bot
messages: + msg33076
2017-04-03 16:35:12reviewbotsetmessages: + msg33075
2017-04-03 15:00:31reviewbotsetmessages: + msg33070
2017-04-02 16:10:51reviewbotsetmessages: + msg33050
2017-04-02 16:10:33reviewbotsetmessages: + msg33049
2017-04-02 16:01:34cedsetstatus: in-progress -> testing
reviews: 28091002 -> 28091002,34061002
messages: + msg33048
2017-04-02 13:34:17reviewbotsetmessages: + msg33045
2017-03-23 12:09:03reviewbotsetmessages: + msg32700
2017-03-21 14:58:21reviewbotsetmessages: + msg32628

Showing 10 items. Show all history (warning: this could be VERY long)