Feature #7001

Hint user about the strength of their administration password

Added by tmc 2014-03-31 09:31:14 . Updated 2020-04-15 06:05:29 .

Status:
Confirmed
Priority:
Low
Assignee:
Category:
Target version:
Start date:
2014-03-31
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Welcome Screen
Deliverable for:

Description

The GUI bits should be stolen from existing, well-thought solutions to the same problem, e.g. GNOME Disks.

The (Python) code lives at https://git-tails.immerda.ch/greeter/.


Subtasks


Related issues

Related to Tails - Feature #7002: Hint user about passphrase strength when creating a persistent volume In Progress 2014-03-31

History

#1 Updated by intrigeri 2014-03-31 09:50:30

  • related to Feature #7002: Hint user about passphrase strength when creating a persistent volume added

#2 Updated by intrigeri 2014-03-31 09:51:43

  • Subject changed from Password quality monitor for Tails greeter Administrator Dialog to Hint user about the strength of their administration password
  • Description updated
  • Category set to 165
  • Status changed from New to Confirmed
  • Type of work changed from User interface design to Code
  • Starter changed from No to Yes

#3 Updated by sajolida 2016-08-03 13:20:14

I’ve read quite a lot of usable security papers on passwords and password usage lately and I’m concerned about how these widget educate people about what a good password is. So I’d like to be super careful about the algorithm behind the widget and how its feedback influence password practices on users. Writing such an algorithm would definitely be beyond easy, but maybe we can use an excellent library.

#4 Updated by sajolida 2016-08-03 13:21:51

I’d say that this work should start with a good research on this. To be clear: I’d rather not have any widget than have a widget that’s misleading the user on what a good password is.

#5 Updated by intrigeri 2016-08-11 14:07:12

  • Starter changed from Yes to No

> I’d say that this work should start with a good research on this. To be clear: I’d rather not have any widget than have a widget that’s misleading the user on what a good password is.

This sounds like a good candidate task for usable security people who want to work on Tails by contributing upstream: we already ship such a widget in GNOME Disks, and it uses https://fedorahosted.org/libpwquality/. So if these two are not doing the right thing, then maybe the first thing to do would be to help fix libpwquality, or the way GNOME Disks uses it. But good login passwords (Feature #7001) and good encrypted storage passwords (Feature #7002) might be different beasts, so perhaps that’s not relevant on this ticket.

#6 Updated by sajolida 2016-08-12 06:22:16

You right.

It’s funny because right before reading your note I played with the strength indicator of Disks. It’s good as detecting duplicated characters (“oiuoiuoiuoiuoiuoiu” is “weak”) and it’s good at not forcing special characters (long diceware combinations are “strong”), but it’s not good at detecting common passwords (“to be or not to be” is “good”). I’m using this last one as an example of why strength indicators are intrinsically hard to code :)

I’m definitely interested in this topic and I’m happy to provide pointers but won’t lead the research myself.

#8 Updated by Anonymous 2018-08-18 14:10:36

This ITP was closed in favor of https://tracker.debian.org/pkg/python-zxcvbn, which relies on python2.

#9 Updated by intrigeri 2020-04-15 06:05:29

  • Affected tool changed from Greeter to Welcome Screen