[Security] Visual password strength meter (OWASP ASVS v4.0.3-2.1.8)
Is your feature request related to a problem? Please describe.
Currently Decidim does not instruct users much about if the password they chose is weak or strong one.
OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.
This comes from recommendation numbered 2.1.8 which states the following:
Verify that a password strength meter is provided to help users set a stronger password.
Describe the solution you'd like
We ask the user to enter an account password in four places of the application:
- When signing up / on the registration form
- When changing the account settings at /account
- When resetting the password after forgotten password at /users/password/new
- When asking admins to reset their password regularly at /change_password
In both these places we should have a visual "meter" which indicates the user if their password is strong or not.
A good reference for this is e.g. the password strength meter for angular which can be tested here:
In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. "very weak", "weak", "moderate", "strong" or "very strong".
Describe alternatives you've considered
According to the OWASP ASVS, there are no alternatives to support this requirement.
The implementation details can be further discussed to reach the best possible solution.
This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.
For evaluating the password strength, we can use the same algorithm that the example implementation uses:
- JS: https://github.com/dropbox/zxcvbn
- Ruby: https://github.com/envato/zxcvbn-ruby
- Paper and presentation: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
Does this issue could impact on users private data?
It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).