r70769 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r70768‎ \| r70769 \| r70770 >
Date:	16:17, 9 August 2010
Author:	maxsem
Status:	reverted
Tags:
Comment:	Fixes for password checker from r70520: * Removed the upper bound for brute force complexity checks * Score for repetitions is now linear and is subtracted from brute force score to avoid overpenalizing long passwords * Disabled checks by default for now, since many people consider them overly intrusive * Made OutputPage::addPasswordSecurity() include jQuery just in case it's not already included * Documented a little
Modified paths:	/trunk/phase3/includes/DefaultSettings.php (modified) (history) /trunk/phase3/includes/OutputPage.php (modified) (history) /trunk/phase3/skins/common/password.js (modified) (history)

Diff [purge]

Index: trunk/phase3/skins/common/password.js
—	—	@@ -5,20 +5,16 @@
6	6	* @todo Check for popular passwords and keyboard sequences (QWERTY, etc)
7	7	*/
8	8
	9	+// Estimates how hard it would be to pick the password using brute forece
9	10	function bruteForceComplexity( pwd ) {
10		~~- var score = 0;~~
	11	+ var score = pwd.length * 5;
11	12
12		~~- if ( pwd.length < 16 ) {~~
13		~~- score = pwd.length * 5;~~
14		~~- } else {~~
15		~~- score = 80;~~
16		~~- }~~
17		-
18	13	var regexes = [
19	14	/[a-z]/,
20	15	/[A-Z]/,
21	16	/[0-9]/,
22		~~- /[-_;:\.,'"`~!@#$%\^&\*\[\]\{\} ]/ ];~~
	17	+ /[-_;:\.,'"`~!@#$%\^&\*\[\]\{\} ]/
	18	+ ];
23	19
24	20	var charClasses = 0;
25	21	for ( var i=0; i< regexes.length; i++ ) {
—	—	@@ -42,7 +38,8 @@
43	39	return score;
44	40	}
45	41
46		~~-function repetitionScore( pwd ) {~~
	42	+// Calculates a penalty to brute force score due to character repetition
	43	+function repetitionAdjustment( pwd ) {
47	44	var unique = '';
48	45	for ( var i=0; i< pwd.length; i++ ) {
49	46	if ( unique.indexOf( pwd[i] ) < 0 ) {
—	—	@@ -51,9 +48,10 @@
52	49	}
53	50	var ratio = pwd.length / unique.length - 0.4; // allow up to 40% repetition, reward for less, penalize for more
54	51
55		~~- return 100 / ratio;~~
	52	+ return ratio * 10;
56	53	}
57	54
	55	+// Checks how many simple sequences ("abc", "321") are there in the password
58	56	function sequenceScore( pwd ) {
59	57	pwd = pwd.concat( '\0' );
60	58	var score = 100, sequence = 1;
—	—	@@ -62,7 +60,7 @@
63	61	sequence++;
64	62	} else {
65	63	if ( sequence > 2 ) {
66		~~- score -= Math.sqrt( sequence ) * 15;~~
	64	+ score -= sequence * 7;
67	65	}
68	66	sequence = 1;
69	67	}
—	—	@@ -89,23 +87,26 @@
90	88	return;
91	89	}
92	90	if ( pwd.length > 100 ) pwd = pwd.slice( 0, 100 );
93		~~- var score = Math.min(~~
	91	+ var scores = [
94	92	bruteForceComplexity( pwd ),
95		~~- repetitionScore( pwd ),~~
	93	+ repetitionAdjustment( pwd ),
96	94	sequenceScore( pwd )
97		~~- );~~
	95	+ ];
	96	+
	97	+ var score = Math.min( scores[0] - scores[1], scores[2] );
98	98	var result = 'good';
99	99	if ( score < 40 ) {
100	100	result = 'bad';
101	101	} else if ( score < 60 ) {
102	102	result = 'mediocre';
103		~~- } else if ( score < 85 ) {~~
	103	+ } else if ( score < 80 ) {
104	104	result = 'acceptable';
105	105	}
106	106	var message = '<span class="mw-password-' + result + '">' + passwordSecurity.messages['password-strength-' + result]
107	107	+ '</span>';
108	108	$( '#password-strength' ).html(
109	109	passwordSecurity.messages['password-strength'].replace( '$1', message )
	110	+ //+ scores
110	111	);
111	112	}
112	113
Index: trunk/phase3/includes/OutputPage.php
—	—	@@ -1955,7 +1955,14 @@
1956	1956	}
1957	1957	}
1958	1958
	1959	+ /**
	1960	+ * Adds JS-based password security checker
	1961	+ * @param $passwordId String ID of input box containing password
	1962	+ * @param $retypeId String ID of input box containing retyped password
	1963	+ * @return none
	1964	+ */
1959	1965	public function addPasswordSecurity( $passwordId, $retypeId ) {
	1966	+ $this->includeJQuery();
1960	1967	$data = array(
1961	1968	'password' => '#' . $passwordId,
1962	1969	'retype' => '#' . $retypeId,
Index: trunk/phase3/includes/DefaultSettings.php
—	—	@@ -5086,7 +5086,7 @@
5087	5087	/**
5088	5088	* Enabes or disables JavaScript-based suggestions of password strength
5089	5089	*/
5090		~~-$wgLivePasswordStrengthChecks = true;~~
	5090	+$wgLivePasswordStrengthChecks = false;
5091	5091
5092	5092	/**
5093	5093	* For really cool vim folding this needs to be at the end:

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r70520	JavaScript-based password complexity checker on account creation and password...	maxsem	19:16, 5 August 2010

Status & tagging log

23:40, 15 April 2011 😂 (talk | contribs) changed the status of r70769 [removed: ok added: reverted]
20:20, 12 January 2011 Hashar (talk | contribs) changed the status of r70769 [removed: new added: ok]