Feature #7001: Hint user about the strength of their administration password

Feature #7001

Hint user about the strength of their administration password

Added by tmc 2014-03-31 09:31:14 . Updated 2020-04-15 06:05:29 .

Status:

Confirmed

Priority:

Low

Assignee:

Category:

Target version:

Start date:

2014-03-31

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Welcome Screen

Deliverable for:

Description

The GUI bits should be stolen from existing, well-thought solutions to the same problem, e.g. GNOME Disks.

The (Python) code lives at https://git-tails.immerda.ch/greeter/.

Subtasks

Related issues

Related to Tails - Feature #7002: Hint user about passphrase strength when creating a persistent volume

In Progress

2014-03-31

History

#1 Updated by intrigeri 2014-03-31 09:50:30

related to Feature #7002: Hint user about passphrase strength when creating a persistent volume added

#2 Updated by intrigeri 2014-03-31 09:51:43

Subject changed from Password quality monitor for Tails greeter Administrator Dialog to Hint user about the strength of their administration password
Description updated
Category set to 165
Status changed from New to Confirmed
Type of work changed from User interface design to Code
Starter changed from No to Yes

#3 Updated by sajolida 2016-08-03 13:20:14

I’ve read quite a lot of usable security papers on passwords and password usage lately and I’m concerned about how these widget educate people about what a good password is. So I’d like to be super careful about the algorithm behind the widget and how its feedback influence password practices on users. Writing such an algorithm would definitely be beyond easy, but maybe we can use an excellent library.

#4 Updated by sajolida 2016-08-03 13:21:51

I’d say that this work should start with a good research on this. To be clear: I’d rather not have any widget than have a widget that’s misleading the user on what a good password is.

#5 Updated by intrigeri 2016-08-11 14:07:12

Starter changed from Yes to No

> I’d say that this work should start with a good research on this. To be clear: I’d rather not have any widget than have a widget that’s misleading the user on what a good password is.

This sounds like a good candidate task for usable security people who want to work on Tails by contributing upstream: we already ship such a widget in GNOME Disks, and it uses https://fedorahosted.org/libpwquality/. So if these two are not doing the right thing, then maybe the first thing to do would be to help fix libpwquality, or the way GNOME Disks uses it. But good login passwords (Feature #7001) and good encrypted storage passwords (Feature #7002) might be different beasts, so perhaps that’s not relevant on this ticket.

#6 Updated by sajolida 2016-08-12 06:22:16

You right.

It’s funny because right before reading your note I played with the strength indicator of Disks. It’s good as detecting duplicated characters (“oiuoiuoiuoiuoiuoiu” is “weak”) and it’s good at not forcing special characters (long diceware combinations are “strong”), but it’s not good at detecting common passwords (“to be or not to be” is “good”). I’m using this last one as an example of why strength indicators are intrinsically hard to code :)

I’m definitely interested in this topic and I’m happy to provide pointers but won’t lead the research myself.

#7 Updated by intrigeri 2017-01-04 09:09:42

FWIW there’s an open ITP for safe — password strength checking library for Python.

#8 Updated by Anonymous 2018-08-18 14:10:36

This ITP was closed in favor of https://tracker.debian.org/pkg/python-zxcvbn, which relies on python2.

#9 Updated by intrigeri 2020-04-15 06:05:29

Affected tool changed from Greeter to Welcome Screen