Skip to main content

Cookie settings

We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want.

Essential

Preferences

Analytics and statistics

Marketing

Home Activity Log in
Home
/ Processes /
Propose new features
/ Propose new features
Propose new features / Propose new features

[Security] Visual password strength meter (OWASP ASVS v4.0.3-2.1.8)

Avatar: AH
AH 18/09/2023 14:33

Is your feature request related to a problem? Please describe.
Currently Decidim does not instruct users much about if the password they chose is weak or strong one.

OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.

This comes from recommendation numbered 2.1.8 which states the following:

Verify that a password strength meter is provided to help users set a stronger password.

Further reading/reference:
https://github.com/OWASP/ASVS

Describe the solution you'd like
We ask the user to enter an account password in four places of the application:

  1. When signing up / on the registration form
  2. When changing the account settings at /account
  3. When resetting the password after forgotten password at /users/password/new
  4. When asking admins to reset their password regularly at /change_password

In both these places we should have a visual "meter" which indicates the user if their password is strong or not.

A good reference for this is e.g. the password strength meter for angular which can be tested here:
https://antoantonyk.github.io/password-strength-meter/

GitHub repository:
https://github.com/antoantonyk/password-strength-meter

In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. "very weak", "weak", "moderate", "strong" or "very strong".

Describe alternatives you've considered
According to the OWASP ASVS, there are no alternatives to support this requirement.

The implementation details can be further discussed to reach the best possible solution.

Additional context
This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.

For evaluating the password strength, we can use the same algorithm that the example implementation uses:

Does this issue could impact on users private data?
It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).

Funded by
N/A

Comment

Confirm

Please log in

The password is too short.

Share