[wp-trac] [WordPress Trac] #21737: Users should have to jump through hoops to set passwords of their choosing, and we should guard better against weak passwords
WordPress Trac
noreply at wordpress.org
Fri Aug 16 22:32:59 UTC 2013
#21737: Users should have to jump through hoops to set passwords of their choosing,
and we should guard better against weak passwords
----------------------------+-----------------------
Reporter: markjaquith | Owner: westi
Type: task (blessed) | Status: accepted
Priority: normal | Milestone: 3.7
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------
Comment (by azaozz):
At the same time, we deliberately don't register zxcvbn.min.js, because
zxcvbn-async.js should be used instead.
Agreed, that's a good thing to do.
> We could almost treat zxcvbn-async.js as a WP file. Maybe even call it
wp-zxcvbn.js or wp-password-strength.js.
Yep, my thoughts exactly. `zxcvbn-async.js` is a simple async loading of
another JS file on `window.onload`. We can have the remainder of
`passwordStrength(password1, username, password2)` in the same file.
On the other hand if we want to experiment with loading zxcvbn.js "on
demand", perhaps after a password field is focused, we will need
`password-strength-meter.js` to handle that. In this case `zxcvbn-
async.js` should be in script_loader so the library can be loaded properly
but is not going to be used in core.
Loading zxcvbn.js on demand seems pretty straightforward. It fires
`zxcvbn_load_hook` callback when ready. This can be used to remove a
spinner (we will need one) and start checking user input.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21737#comment:36>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list