Project

General

Profile

Feature #7001

Hint user about the strength of their administration password

Added by tmc over 5 years ago. Updated about 1 year ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
03/31/2014
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:
Greeter

Description

The GUI bits should be stolen from existing, well-thought solutions to the same problem, e.g. GNOME Disks.

The (Python) code lives at https://git-tails.immerda.ch/greeter/.


Related issues

Related to Tails - Feature #7002: Hint user about passphrase strength when creating a persistent volume Confirmed 03/31/2014

History

#1 Updated by intrigeri over 5 years ago

  • Related to Feature #7002: Hint user about passphrase strength when creating a persistent volume added

#2 Updated by intrigeri over 5 years ago

  • Subject changed from Password quality monitor for Tails greeter Administrator Dialog to Hint user about the strength of their administration password
  • Description updated (diff)
  • Category set to 165
  • Status changed from New to Confirmed
  • Type of work changed from User interface design to Code
  • Starter changed from No to Yes

#3 Updated by sajolida about 3 years ago

I've read quite a lot of usable security papers on passwords and password usage lately and I'm concerned about how these widget educate people about what a good password is. So I'd like to be super careful about the algorithm behind the widget and how its feedback influence password practices on users. Writing such an algorithm would definitely be beyond easy, but maybe we can use an excellent library.

#4 Updated by sajolida about 3 years ago

I'd say that this work should start with a good research on this. To be clear: I'd rather not have any widget than have a widget that's misleading the user on what a good password is.

#5 Updated by intrigeri about 3 years ago

  • Starter changed from Yes to No

I'd say that this work should start with a good research on this. To be clear: I'd rather not have any widget than have a widget that's misleading the user on what a good password is.

This sounds like a good candidate task for usable security people who want to work on Tails by contributing upstream: we already ship such a widget in GNOME Disks, and it uses https://fedorahosted.org/libpwquality/. So if these two are not doing the right thing, then maybe the first thing to do would be to help fix libpwquality, or the way GNOME Disks uses it. But good login passwords (#7001) and good encrypted storage passwords (#7002) might be different beasts, so perhaps that's not relevant on this ticket.

#6 Updated by sajolida about 3 years ago

You right.

It's funny because right before reading your note I played with the strength indicator of Disks. It's good as detecting duplicated characters ("oiuoiuoiuoiuoiuoiu" is "weak") and it's good at not forcing special characters (long diceware combinations are "strong"), but it's not good at detecting common passwords ("to be or not to be" is "good"). I'm using this last one as an example of why strength indicators are intrinsically hard to code :)

I'm definitely interested in this topic and I'm happy to provide pointers but won't lead the research myself.

#8 Updated by u about 1 year ago

This ITP was closed in favor of https://tracker.debian.org/pkg/python-zxcvbn, which relies on python2.

Also available in: Atom PDF