Saltar al contenido principal

Configuración de cookies

Utilizamos cookies para asegurar las funcionalidades básicas del sitio web y para mejorar tu experiencia en línea. Puedes configurar y aceptar el uso de las cookies, y modificar tus opciones de consentimiento en cualquier momento.

Esenciales

Preferencias

Analíticas y estadísticas

Marketing

Cambios en "[Security] Visual password strength meter (OWASP ASVS v4.0.3-2.1.8)"

Avatar: AH AH

Cuerpo

  • -["

    Is your feature request related to a problem? Please describe.
    Currently Decidim does not instruct users much about if the password they chose is weak or strong one.

    OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.

    This comes from recommendation numbered 2.1.8 which states the following:

    Verify that a password strength meter is provided to help users set a stronger password.

    Further reading/reference:
    https://github.com/OWASP/ASVS

    Describe the solution you'd like
    We ask the user to enter an account password in three places of the application:

    1. When signing up / on the registration form
    2. When changing the account settings at /account
    3. When resetting the password after forgotten password at /users/password/new
    4. When asking admins to reset their password regularly at /change_password

    In both these places we should have a visual \"meter\" which indicates the user if their password is strong or not.

    A good reference for this is e.g. the password strength meter for angular which can be tested here:
    https://antoantonyk.github.io/password-strength-meter/

    GitHub repository:
    https://github.com/antoantonyk/password-strength-meter

    In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. \"very weak\", \"weak\", \"moderate\", \"strong\" or \"very strong\".

    Describe alternatives you've considered
    According to the OWASP ASVS, there are no alternatives to support this requirement.

    The implementation details can be further discussed to reach the best possible solution.

    Additional context
    This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.

    Does this issue could impact on users private data?
    It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).

    Funded by
    N/A

    "]
  • +["

    Is your feature request related to a problem? Please describe.
    Currently Decidim does not instruct users much about if the password they chose is weak or strong one.

    OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.

    This comes from recommendation numbered 2.1.8 which states the following:

    Verify that a password strength meter is provided to help users set a stronger password.

    Further reading/reference:
    https://github.com/OWASP/ASVS

    Describe the solution you'd like
    We ask the user to enter an account password in four places of the application:

    1. When signing up / on the registration form
    2. When changing the account settings at /account
    3. When resetting the password after forgotten password at /users/password/new
    4. When asking admins to reset their password regularly at /change_password

    In both these places we should have a visual \"meter\" which indicates the user if their password is strong or not.

    A good reference for this is e.g. the password strength meter for angular which can be tested here:
    https://antoantonyk.github.io/password-strength-meter/

    GitHub repository:
    https://github.com/antoantonyk/password-strength-meter

    In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. \"very weak\", \"weak\", \"moderate\", \"strong\" or \"very strong\".

    Describe alternatives you've considered
    According to the OWASP ASVS, there are no alternatives to support this requirement.

    The implementation details can be further discussed to reach the best possible solution.

    Additional context
    This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.

    Does this issue could impact on users private data?
    It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).

    Funded by
    N/A

    "]

Confirmar

Por favor, inicia la sesión

La contraseña es demasiado corta.

Compartir