Skip to content

Commit 40c73cd

Browse files
committed
Tweaked the password strength indicator, and added indication of offline cracking time for throughput 10e4 attempts per second.
- Legacy-Id: 12827
1 parent 1b8ae42 commit 40c73cd

3 files changed

Lines changed: 31 additions & 10 deletions

File tree

ietf/ietfauth/forms.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ class ChangePasswordForm(forms.Form):
174174
current_password = forms.CharField(widget=forms.PasswordInput)
175175

176176

177-
new_password = forms.CharField(widget=PasswordStrengthInput)
177+
new_password = forms.CharField(widget=PasswordStrengthInput(attrs={'class':'password_strength'}))
178178
new_password_confirmation = forms.CharField(widget=PasswordConfirmationInput)
179179

180180
def __init__(self, user, data=None):

ietf/static/ietf/js/password_strength.js

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,8 @@
2424

2525
$('.' + self.config.passwordClass).on('keyup', function() {
2626
var password_strength_bar = $(this).parent().find('.password_strength_bar');
27-
var password_strength_info = $(this).parent().find('.password_strength_info');
27+
var password_strength_info = $(this).parent().find('.password_strength_info');
28+
var password_strength_offline_info = $(this).parent().parent().parent().find('.password_strength_offline_info');
2829

2930
if( $(this).val() ) {
3031
var result = zxcvbn( $(this).val() );
@@ -39,8 +40,11 @@
3940

4041
password_strength_bar.width( ((result.score+1)/5)*100 + '%' ).attr('aria-valuenow', result.score + 1);
4142
// henrik@levkowetz.com -- this is the only changed line:
42-
password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
43-
password_strength_info.removeClass('hidden');
43+
password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
44+
password_strength_info.removeClass('hidden');
45+
46+
password_strength_offline_info.find('.password_strength_time').html(result.crack_times_display.offline_slow_hashing_1e4_per_second);
47+
password_strength_offline_info.removeClass('hidden');
4448
} else {
4549
password_strength_bar.removeClass('progress-bar-success').addClass('progress-bar-warning');
4650
password_strength_bar.width( '0%' ).attr('aria-valuenow', 0);

ietf/templates/registration/change_password.html

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
{# Copyright The IETF Trust 2015, All Rights Reserved #}
33
{% load origin %}
44

5+
56
{% load bootstrap3 %}
67
{% load staticfiles %}
78

@@ -40,18 +41,34 @@ <h1>Change password</h1>
4041
This password form uses the
4142
<a href="https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/">zxcvbn</a>
4243
password strength estimator to give an indication of password strength.
43-
The crack times given assume online attack without rate limiting,
44-
at a rate of 10 attempts per second.
44+
The crack time estimage given above assume online attack without rate
45+
limiting, at a rate of 10 attempts per second.
4546
</div>
4647

48+
<h4>Offline cracking</h4>
4749
<div class="help-block">
48-
The datatracker currently uses a <b>{{ hasher.algorithm }}</b>-based
50+
The datatracker currently uses the <b>{{ hasher.algorithm }}</b>
4951
password hasher with
50-
<b>{% if hasher.iterations %}{{ hasher.iterations }} iterations{% else %}{{ hasher.rounds }} rounds{% endif %}</b>.
51-
Calculating offline attack time if password hashes would leak is left
52+
<b>
53+
{% if hasher.iterations %}
54+
{{ hasher.iterations }} iterations
55+
{% elif hasher.rounds %}
56+
{{ hasher.rounds }} rounds
57+
{% elif hasher.time_cost and hasher.memory_cost and hasher.parallelism %}
58+
time cost {{ hasher.time_cost }}, memory cost {{ hasher.memory_cost }}
59+
and parallelism {{ hasher.parallelism }}
60+
{% endif %}
61+
</b>.
62+
Calculating offline attack time if password hashes should leak is left
5263
as an excercise for the reader.
5364
</div>
54-
65+
<div class="help-block">
66+
<p class="text-muted password_strength_offline_info hidden">
67+
As a guideline, if we assume offline hashing using the current hasher
68+
at a speed of 10<sup>4</sup> attempts per second, this password would
69+
take <b><em class="password_strength_time"></em></b> to crack.
70+
</p>
71+
</div>
5572
</div>
5673
<div class="col-md-2 col-sm-0"></div>
5774
</div>

0 commit comments

Comments
 (0)