From 40c73cd483abee2322e76b1c85e9b3f3a688c0b4 Mon Sep 17 00:00:00 2001
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Sun, 12 Feb 2017 17:12:03 +0000
Subject: [PATCH] Tweaked the password strength indicator, and added indication
 of offline cracking time for throughput 10e4 attempts per second.  -
 Legacy-Id: 12827

---
 ietf/ietfauth/forms.py                        |  2 +-
 ietf/static/ietf/js/password_strength.js      | 10 +++++--
 .../registration/change_password.html         | 29 +++++++++++++++----
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/ietf/ietfauth/forms.py b/ietf/ietfauth/forms.py
index f30f8c103..7c244b061 100644
--- a/ietf/ietfauth/forms.py
+++ b/ietf/ietfauth/forms.py
@@ -174,7 +174,7 @@ class ChangePasswordForm(forms.Form):
     current_password = forms.CharField(widget=forms.PasswordInput)
 
 
-    new_password = forms.CharField(widget=PasswordStrengthInput)
+    new_password = forms.CharField(widget=PasswordStrengthInput(attrs={'class':'password_strength'}))
     new_password_confirmation = forms.CharField(widget=PasswordConfirmationInput)
 
     def __init__(self, user, data=None):
diff --git a/ietf/static/ietf/js/password_strength.js b/ietf/static/ietf/js/password_strength.js
index a1fd393f5..e441c1346 100644
--- a/ietf/static/ietf/js/password_strength.js
+++ b/ietf/static/ietf/js/password_strength.js
@@ -24,7 +24,8 @@
 
             $('.' + self.config.passwordClass).on('keyup', function() {
                 var password_strength_bar = $(this).parent().find('.password_strength_bar');
-                var password_strength_info = $(this).parent().find('.password_strength_info');
+		var password_strength_info = $(this).parent().find('.password_strength_info');
+		var password_strength_offline_info = $(this).parent().parent().parent().find('.password_strength_offline_info');
 
                 if( $(this).val() ) {
                     var result = zxcvbn( $(this).val() );
@@ -39,8 +40,11 @@
 
                     password_strength_bar.width( ((result.score+1)/5)*100 + '%' ).attr('aria-valuenow', result.score + 1);
 		    // henrik@levkowetz.com -- this is the only changed line:
-                    password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
-                    password_strength_info.removeClass('hidden');
+		    password_strength_info.find('.password_strength_time').html(result.crack_times_display.online_no_throttling_10_per_second);
+		    password_strength_info.removeClass('hidden');
+
+		    password_strength_offline_info.find('.password_strength_time').html(result.crack_times_display.offline_slow_hashing_1e4_per_second);
+		    password_strength_offline_info.removeClass('hidden');
                 } else {
                     password_strength_bar.removeClass('progress-bar-success').addClass('progress-bar-warning');
                     password_strength_bar.width( '0%' ).attr('aria-valuenow', 0);
diff --git a/ietf/templates/registration/change_password.html b/ietf/templates/registration/change_password.html
index c246425eb..d7025f71b 100644
--- a/ietf/templates/registration/change_password.html
+++ b/ietf/templates/registration/change_password.html
@@ -2,6 +2,7 @@
 {# Copyright The IETF Trust 2015, All Rights Reserved #}
 {% load origin %}
 
+
 {% load bootstrap3 %}
 {% load staticfiles %}
 
@@ -40,18 +41,34 @@
 	   This password form uses the
 	   <a href="https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/">zxcvbn</a>
 	   password strength estimator to give an indication of password strength.
-	   The crack times given assume online attack without rate limiting,
-	   at a rate of 10 attempts per second.
+	   The crack time estimage given above assume online attack without rate
+	   limiting, at a rate of 10 attempts per second.
 	</div>
 	  
+	<h4>Offline cracking</h4>
 	<div class="help-block">
-	   The datatracker currently uses a <b>{{ hasher.algorithm }}</b>-based
+	   The datatracker currently uses the <b>{{ hasher.algorithm }}</b>
 	   password hasher with
-	   <b>{% if hasher.iterations %}{{ hasher.iterations }} iterations{% else %}{{ hasher.rounds }} rounds{% endif %}</b>.
-	   Calculating offline attack time if password hashes would leak is left
+	   <b>
+	     {% if hasher.iterations %}
+	       {{ hasher.iterations }} iterations
+	     {% elif hasher.rounds %}
+	       {{ hasher.rounds }} rounds
+	     {% elif hasher.time_cost and hasher.memory_cost and hasher.parallelism %}
+	       time cost {{ hasher.time_cost }}, memory cost {{ hasher.memory_cost }}
+	       and parallelism {{ hasher.parallelism }}
+	     {% endif %}
+	   </b>.
+	   Calculating offline attack time if password hashes should leak is left
 	   as an excercise for the reader.
 	</div>
-
+	<div class="help-block">
+            <p class="text-muted password_strength_offline_info hidden">
+		As a guideline, if we assume offline hashing using the current hasher
+		at a speed of 10<sup>4</sup> attempts per second, this password would
+		take <b><em class="password_strength_time"></em></b> to crack.
+            </p>
+	</div>
       </div>
       <div class="col-md-2 col-sm-0"></div>
     </div>