[wp-trac] [WordPress Trac] #25174: Expand zxcvbn user_input blacklist
WordPress Trac
noreply at wordpress.org
Thu Aug 29 05:04:14 UTC 2013
#25174: Expand zxcvbn user_input blacklist
-------------------------+-----------------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords: has-patch
-------------------------+-----------------------------
The current blacklist only contains the username, but there are other
known data about the current user/site that we should discourage using in
passwords, because they'll lower the entropy.
I've attached a rough first pass. It needs more work, but I'd like to get
some feedback.
* There's probably a better location for zxcvbn_user_input_blacklist()
* Are there performance concerns with zxcvbn_user_input_blacklist() ?
There are a lot of function calls and processing, and there may be a more
elegant ways to get the same results.
* Any more suggestions for additional generic words to blacklist?
* Are there any security/privacy issues, since all of the data returned by
zxcvbn_user_input_blacklist() will be revealed in the page source?
Probably not in the typical usage, since it's only shown on user-edit.php
(and therefore is already behind a current_user_can() check). There could
be issues if it were (mis)used by plugins, though.
* Any other issues?
Note that there's currently a bug in the zxcvbn implementation where
[http://core.trac.wordpress.org/ticket/21737#comment:41 user_input is
being ignored], so this patch won't actually affect the returned score
until Jon's latest patch is committed.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25174>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list