This contribution introduces a new PasswordValidator to prevent users to use passwords that are too commonly compromised. This is considered a good practice and is notably recommend by NIST [0]. In order to achieve this, a call to the Have I Been Pwned Password API [1] is done to check is a given password as already been found in known data breaches. To not be too hostile towards the user, to be considered as compromised a password must have been seen at least 10 times in data leaks. This is an arbitrary hardcoded limit. A future contribution could let administrators set a value they feel more appropriate. For now, this feature can only be enabled through an hidden option until it can be properly managed from the site administration and documented. Some changes has also been done in the JS script used to give the user some feedbacks about the password: * the script does not try to disable the autocomplete on the password field anymore as it does not encourage the user to choose a strong password and password managers vastly ignore the instruction anyway (as they should) * the script will wait a few ms before checking if the password complies with the policies, this avoids unnecessary calls. This is part of story #11182: prevent users to use a breached password [0] https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 [1] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange Change-Id: Idc1685f5361be738eeed3d982ba2f86e631bf057

+397 −10

Author

Thomas Gerbet (tgerbet) 2018-02-24 01:02

Committer

Thomas Gerbet (tgerbet) 2018-03-08 10:37

Hash e305b7cee146401ce5243f73eabf9c50ba5e8dc0

Parent f27e92618c4f9100f8f4e802abe1dc722db75db1

Reference git #tuleap/stable/e305b7cee146401ce5243f73eabf9c50ba5e8dc0