stable

Clone or download

Read-only

Password known as compromised can be rejected if an hidden option is enabled

This contribution introduces a new PasswordValidator to prevent users to use passwords that are too commonly compromised. This is considered a good practice and is notably recommend by NIST [0]. In order to achieve this, a call to the Have I Been Pwned Password API [1] is done to check is a given password as already been found in known data breaches. To not be too hostile towards the user, to be considered as compromised a password must have been seen at least 10 times in data leaks. This is an arbitrary hardcoded limit. A future contribution could let administrators set a value they feel more appropriate. For now, this feature can only be enabled through an hidden option until it can be properly managed from the site administration and documented. Some changes has also been done in the JS script used to give the user some feedbacks about the password: * the script does not try to disable the autocomplete on the password field anymore as it does not encourage the user to choose a strong password and password managers vastly ignore the instruction anyway (as they should) * the script will wait a few ms before checking if the password complies with the policies, this avoids unnecessary calls. This is part of story #11182: prevent users to use a breached password [0] https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange Change-Id: Idc1685f5361be738eeed3d982ba2f86e631bf057

Modified Files

Name
M site-content/fr_FR/LC_MESSAGES/tuleap-core.po +7 −0 Go to diff View file
M site-content/tuleap-core.pot +5 −0 Go to diff View file
M src/common/autoload.php +5 −2 Go to diff View file
A src/common/password/HaveIBeenPwned/PwnedPasswordChecker.php +58 −0 Go to diff View file
A src/common/password/HaveIBeenPwned/PwnedPasswordRangeRetriever.php +67 −0 Go to diff View file
A src/common/password/PasswordCompromiseValidator.php +42 −0 Go to diff View file
M src/common/password/PasswordStrategy.class.php +16 −4 Go to diff View file
M src/www/scripts/check_pw.js +21 −4 Go to diff View file
A tests/phpunit/common/password/HaveIBeenPwned/PwnedPasswordCheckerTest.php +67 −0 Go to diff View file
A tests/phpunit/common/password/HaveIBeenPwned/PwnedPasswordRangeRetrieverTest.php +63 −0 Go to diff View file
A tests/phpunit/common/password/PasswordCompromiseValidatorTest.php +45 −0 Go to diff View file
M tests/phpunit/phpunit.xml +1 −0 Go to diff View file