Passphrase Strength in Key Generation #38
Assignees
Labels
development
Standard development
Comments
Merged
|
Warn but don't enforce. In fact we can even suggest passwords.
…On 4 June 2020 12:06:22 GMT+10:00, Robbie Cronin ***@***.***> wrote:
I think we should throw an error for a weak passphrase passed into the
kbpgp key generation. We can validate password strength with
[zxcvbn](https://github.com/dropbox/zxcvbn). They define anything under
a score of 2 to be somewhat guessable (guesses < 10^8) so I think its
reasonable to error if the user provided passphrase is below this.
Note: this issue is solved in the upcoming PR #35, but I thought it
best to document our decision here.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#38
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
|
yeah it makes sense that this should just be a notification to the user on any kind of user interface we implement and the polykey key generation function should just be ignorant to the strength of the passphrase. I've made it just a warning on the CLI. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think we should throw an error for a weak passphrase passed into the kbpgp key generation. We can validate password strength with zxcvbn. They define anything under a score of 2 to be somewhat guessable (guesses < 10^8) so I think its reasonable to error if the user provided passphrase is below this.
Note: this issue is solved in the upcoming PR #35, but I thought it best to document our decision here.
The text was updated successfully, but these errors were encountered: