Vés al contingut principal

Configuració de les galetes

Fem servir galetes per assegurar les funcionalitats bàsiques del lloc web i per a millorar la teva experiència en línia. Pots configurar i acceptar l'ús de galetes, i modificar les teves opcions de consentiment en qualsevol moment.

Essencials

Preferències

Analítiques i estadístiques

Màrqueting

[Security] Visual password strength meter (OWASP ASVS v4.0.3-2.1.8)

Avatar: AH AH

Is your feature request related to a problem? Please describe.
Currently Decidim does not instruct users much about if the password they chose is weak or strong one.

OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.

This comes from recommendation numbered 2.1.8 which states the following:

Verify that a password strength meter is provided to help users set a stronger password.

Further reading/reference:
https://github.com/OWASP/ASVS

Describe the solution you'd like
We ask the user to enter an account password in four places of the application:

  1. When signing up / on the registration form
  2. When changing the account settings at /account
  3. When resetting the password after forgotten password at /users/password/new
  4. When asking admins to reset their password regularly at /change_password

In both these places we should have a visual "meter" which indicates the user if their password is strong or not.

A good reference for this is e.g. the password strength meter for angular which can be tested here:
https://antoantonyk.github.io/password-strength-meter/

GitHub repository:
https://github.com/antoantonyk/password-strength-meter

In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. "very weak", "weak", "moderate", "strong" or "very strong".

Describe alternatives you've considered
According to the OWASP ASVS, there are no alternatives to support this requirement.

The implementation details can be further discussed to reach the best possible solution.

Additional context
This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.

For evaluating the password strength, we can use the same algorithm that the example implementation uses:

Does this issue could impact on users private data?
It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).

Funded by
N/A

Comentari

Confirmar

Si us plau, inicia la sessió

La contrasenya és massa curta.

Compartir