fix: Password strength check for long passwords #19756
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zxcvbn 4.4.28 no longer crashes on long, random passwords.
In order for the check to pass in a reasonable amount of time.
- remove unused imports - import only the required patterns, not the entire file
github-actions
bot
added
the
add-test-cases
barredterra
removed
the
add-test-cases
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #19756 +/- ##
===========================================
- Coverage 62.82% 62.78% -0.05%
===========================================
Files 754 754
Lines 71285 71332 +47
Branches 6134 6134
===========================================
Hits 44787 44787
- Misses 23022 23069 +47
Partials 3476 3476
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
ankush
approved these changes
Jan 25, 2023
ankush
pushed a commit
that referenced
this pull request
Jan 25, 2023
…9765) * feat: bump zxcvbn version zxcvbn 4.4.28 no longer crashes on long, random passwords. (cherry picked from commit 8aa8ea0) * fix: trim long passwords before check In order for the check to pass in a reasonable amount of time. (cherry picked from commit d5a72b1) * refactor: imports - remove unused imports - import only the required patterns, not the entire file (cherry picked from commit e61d878) * refactor: assign instead of update (cherry picked from commit 2148dc7) * fix: use new source for zxcvbn (cherry picked from commit 92e684d) * feat: add test case for long passwords (cherry picked from commit a33e345) Co-authored-by: barredterra <14891507+barredterra@users.noreply.github.com>
frappe-pr-bot
pushed a commit
that referenced
this pull request
Jan 30, 2023
# [14.25.0](v14.24.0...v14.25.0) (2023-01-30) ### Bug Fixes * add freeze message for bulk delete ([2a42036](2a42036)) * assertAlmostEqual with precision ([#19794](#19794)) ([9f7c4e0](9f7c4e0)) * Convert doctype name to string ([#19832](#19832)) ([#19834](#19834)) ([a45f31d](a45f31d)) * correct exit code on missing app failure ([#19676](#19676)) ([#19770](#19770)) ([f6139a4](f6139a4)) * **i18n:** Datepicker Turkish translations ([#19777](#19777)) ([#19831](#19831)) ([3e91fb1](3e91fb1)) * incorrect link when std field has problem (backport [#19744](#19744)) ([#19763](#19763)) ([4593bb9](4593bb9)) * **MariaDBTable:** dont attempt to drop index twice ([#19783](#19783)) ([67f80c6](67f80c6)) * Password strength check for long passwords (backport [#19756](#19756)) ([#19765](#19765)) ([a6315f9](a6315f9)) * respect disable sidebar stats on list view ([#19795](#19795)) ([5f57816](5f57816)) * sanitize traceback for common secrets ([#19805](#19805)) ([#19806](#19806)) ([ae6f2b1](ae6f2b1)) * use count instead of concatenated docnames ([06948d1](06948d1)) ### Features * Audit hooks report (backport [#19780](#19780)) ([#19828](#19828)) ([99bdf34](99bdf34)) * better freeze message ([c03f9e7](c03f9e7))
ankush
pushed a commit
that referenced
this pull request
Jan 30, 2023
…9843) * feat: bump zxcvbn version zxcvbn 4.4.28 no longer crashes on long, random passwords. (cherry picked from commit 8aa8ea0) # Conflicts: # pyproject.toml * fix: trim long passwords before check In order for the check to pass in a reasonable amount of time. (cherry picked from commit d5a72b1) * refactor: imports - remove unused imports - import only the required patterns, not the entire file (cherry picked from commit e61d878) # Conflicts: # frappe/utils/password_strength.py * refactor: assign instead of update (cherry picked from commit 2148dc7) * fix: use new source for zxcvbn (cherry picked from commit 92e684d) * feat: add test case for long passwords (cherry picked from commit a33e345) * chore: resolve conflicts --------- Co-authored-by: barredterra <14891507+barredterra@users.noreply.github.com>
stephenBDT
pushed a commit
to alias/frappe
that referenced
this pull request
Feb 7, 2023
… (frappe#19765) * feat: bump zxcvbn version zxcvbn 4.4.28 no longer crashes on long, random passwords. (cherry picked from commit 8aa8ea0) * fix: trim long passwords before check In order for the check to pass in a reasonable amount of time. (cherry picked from commit d5a72b1) * refactor: imports - remove unused imports - import only the required patterns, not the entire file (cherry picked from commit e61d878) * refactor: assign instead of update (cherry picked from commit 2148dc7) * fix: use new source for zxcvbn (cherry picked from commit 92e684d) * feat: add test case for long passwords (cherry picked from commit a33e345) Co-authored-by: barredterra <14891507+barredterra@users.noreply.github.com>
stephenBDT
pushed a commit
to alias/frappe
that referenced
this pull request
Feb 7, 2023
# [14.25.0](frappe/frappe@v14.24.0...v14.25.0) (2023-01-30) ### Bug Fixes * add freeze message for bulk delete ([2a42036](frappe@2a42036)) * assertAlmostEqual with precision ([frappe#19794](frappe#19794)) ([9f7c4e0](frappe@9f7c4e0)) * Convert doctype name to string ([frappe#19832](frappe#19832)) ([frappe#19834](frappe#19834)) ([a45f31d](frappe@a45f31d)) * correct exit code on missing app failure ([frappe#19676](frappe#19676)) ([frappe#19770](frappe#19770)) ([f6139a4](frappe@f6139a4)) * **i18n:** Datepicker Turkish translations ([frappe#19777](frappe#19777)) ([frappe#19831](frappe#19831)) ([3e91fb1](frappe@3e91fb1)) * incorrect link when std field has problem (backport [frappe#19744](frappe#19744)) ([frappe#19763](frappe#19763)) ([4593bb9](frappe@4593bb9)) * **MariaDBTable:** dont attempt to drop index twice ([frappe#19783](frappe#19783)) ([67f80c6](frappe@67f80c6)) * Password strength check for long passwords (backport [frappe#19756](frappe#19756)) ([frappe#19765](frappe#19765)) ([a6315f9](frappe@a6315f9)) * respect disable sidebar stats on list view ([frappe#19795](frappe#19795)) ([5f57816](frappe@5f57816)) * sanitize traceback for common secrets ([frappe#19805](frappe#19805)) ([frappe#19806](frappe#19806)) ([ae6f2b1](frappe@ae6f2b1)) * use count instead of concatenated docnames ([06948d1](frappe@06948d1)) ### Features * Audit hooks report (backport [frappe#19780](frappe#19780)) ([frappe#19828](frappe#19828)) ([99bdf34](frappe@99bdf34)) * better freeze message ([c03f9e7](frappe@c03f9e7))
frappe-pr-bot
pushed a commit
that referenced
this pull request
Feb 13, 2023
## [13.49.2](v13.49.1...v13.49.2) (2023-02-13) ### Bug Fixes * 2fa creation token on ldap (backport [#19753](#19753)) ([#19875](#19875)) ([44257fd](44257fd)) * Apply permissions on Report sidebar ([#20001](#20001)) ([7a7b8fa](7a7b8fa)) * build_response for re.Match ([#19899](#19899)) ([3b9712f](3b9712f)) * can't sign out due to missing roles ([#19905](#19905)) ([#19906](#19906)) ([c6e426b](c6e426b)) * Consider parenttype when renaming ([#19901](#19901)) ([#19902](#19902)) ([3380867](3380867)) * Dont setup socketio events on new doc ([#19864](#19864)) ([#19865](#19865)) ([474df51](474df51)) * event date exception ([#19955](#19955)) ([#20008](#20008)) ([b332cc6](b332cc6)) * ignore permission for marking Note as seen ([#19939](#19939)) ([#20004](#20004)) ([a6def66](a6def66)) * login before check should be inclusive ([#19974](#19974)) ([#19975](#19975)) ([2947a45](2947a45)) * Many migration fixes (copy [#19912](#19912)) ([#19922](#19922)) ([951b71b](951b71b)) * Migrate color fields to color doctype ([#20011](#20011)) ([#20012](#20012)) ([e11de2c](e11de2c)) * misc migration related fixes ([#19874](#19874)) ([#19880](#19880)) ([69eb757](69eb757)) * Password strength check for long passwords (backport [#19756](#19756)) ([#19843](#19843)) ([287d398](287d398)) * PermissionError ([#19856](#19856)) ([#19857](#19857)) ([0ed218d](0ed218d)) * sanitize form dict in error logs ([#19835](#19835)) ([9d91bf9](9d91bf9)) * String formatting index in error message ([#19977](#19977)) ([#19978](#19978)) ([b05c156](b05c156)) * strip whitespace when setting recipients in email queue recipients ([#19915](#19915)) ([ac2ec3d](ac2ec3d)) * translations update in MutliSelectDialog ([88c77ed](88c77ed)) * website theme caching ([#19848](#19848)) ([#19849](#19849)) ([af7747e](af7747e)) ### Reverts * Revert "fix: handle additional width from scrollbar" ([779a7c1](779a7c1))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have a long API Key (>600) characters that fails to save because of the password check.
The zxcvbn version we are using at the moment produces an
OverflowError. That was fixed in dwolfhub/zxcvbn-python#35 . -> Bumped from 4.4.24 to 4.4.28. zxcvbn-python is not maintained anymore. It has moved to zxcvbn.However, checking a password this long still took way too much time. I canceled the check after running for half a minute. -> For long passwords, only check the first 128 characters. This way we can still detect user inputs and repeating patterns in the first part, but it's reasonably quick.
To reproduce the problem, you can try this:
With
zxcvbn==4.4.24you should get anOverflowError. Withzxcvbn==4.4.28you should have to wait for a long time.