Tweaked the password strength indicator, and added indication of offline cracking time for throughput 10e4 attempts per second.

- Legacy-Id: 12827
2017-02-12 17:12:03 +00:00 · 2017-02-12 17:12:03 +00:00 · 40c73cd483
parent 1b8ae422d0
commit 40c73cd483
3 changed files with 31 additions and 10 deletions
--- a/ietf/ietfauth/forms.py
+++ b/ietf/ietfauth/forms.py
@ -174,7 +174,7 @@ class ChangePasswordForm(forms.Form):
    current_password = forms.CharField(widget=forms.PasswordInput)


-    new_password = forms.CharField(widget=PasswordStrengthInput)
+    new_password = forms.CharField(widget=PasswordStrengthInput(attrs={'class':'password_strength'}))
    new_password_confirmation = forms.CharField(widget=PasswordConfirmationInput)

    def __init__(self, user, data=None):
--- a/ietf/static/ietf/js/password_strength.js
+++ b/ietf/static/ietf/js/password_strength.js
@ -24,7 +24,8 @@

            $('.' + self.config.passwordClass).on('keyup', function() {
                var password_strength_bar = $(this).parent().find('.password_strength_bar');
-                var password_strength_info = $(this).parent().find('.password_strength_info');
+		var password_strength_info = $(this).parent().find('.password_strength_info');
+		var password_strength_offline_info = $(this).parent().parent().parent().find('.password_strength_offline_info');

                if( $(this).val() ) {
                    var result = zxcvbn( $(this).val() );
@ -39,8 +40,11 @@

                    password_strength_bar.width( ((result.score+1)/5)*100 + '%' ).attr('aria-valuenow', result.score + 1);
 		    // henrik@levkowetz.com -- this is the only changed line:
-                    password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
-                    password_strength_info.removeClass('hidden');
+		    password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
+		    password_strength_info.removeClass('hidden');
+
+		    password_strength_offline_info.find('.password_strength_time').html(result.crack_times_display.offline_slow_hashing_1e4_per_second);
+		    password_strength_offline_info.removeClass('hidden');
                } else {
                    password_strength_bar.removeClass('progress-bar-success').addClass('progress-bar-warning');
                    password_strength_bar.width( '0%' ).attr('aria-valuenow', 0);
--- a/ietf/templates/registration/change_password.html
+++ b/ietf/templates/registration/change_password.html
@ -2,6 +2,7 @@
 {# Copyright The IETF Trust 2015, All Rights Reserved #}
 {% load origin %}

+
 {% load bootstrap3 %}
 {% load staticfiles %}

@ -40,18 +41,34 @@
 	   This password form uses the
 	   <a href="https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/">zxcvbn</a>
 	   password strength estimator to give an indication of password strength.
-	   The crack times given assume online attack without rate limiting,
-	   at a rate of 10 attempts per second.
+	   The crack time estimage given above assume online attack without rate
+	   limiting, at a rate of 10 attempts per second.
 	</div>
 	  
+	<h4>Offline cracking</h4>
 	<div class="help-block">
-	   The datatracker currently uses a <b>{{ hasher.algorithm }}</b>-based
+	   The datatracker currently uses the <b>{{ hasher.algorithm }}</b>
 	   password hasher with
-	   <b>{% if hasher.iterations %}{{ hasher.iterations }} iterations{% else %}{{ hasher.rounds }} rounds{% endif %}</b>.
-	   Calculating offline attack time if password hashes would leak is left
+	   <b>
+	     {% if hasher.iterations %}
+	       {{ hasher.iterations }} iterations
+	     {% elif hasher.rounds %}
+	       {{ hasher.rounds }} rounds
+	     {% elif hasher.time_cost and hasher.memory_cost and hasher.parallelism %}
+	       time cost {{ hasher.time_cost }}, memory cost {{ hasher.memory_cost }}
+	       and parallelism {{ hasher.parallelism }}
+	     {% endif %}
+	   </b>.
+	   Calculating offline attack time if password hashes should leak is left
 	   as an excercise for the reader.
 	</div>
-
+	<div class="help-block">
+            <p class="text-muted password_strength_offline_info hidden">
+		As a guideline, if we assume offline hashing using the current hasher
+		at a speed of 10<sup>4</sup> attempts per second, this password would
+		take <b><em class="password_strength_time"></em></b> to crack.
+            </p>
+	</div>
      </div>
      <div class="col-md-2 col-sm-0"></div>
    </div>