[wp-trac] [WordPress Trac] #25174: Expand zxcvbn user_input blacklist

WordPress Trac noreply at wordpress.org
Wed Sep 25 01:42:21 UTC 2013


#25174: Expand zxcvbn user_input blacklist
----------------------------+--------------------
 Reporter:  iandunn         |       Owner:
     Type:  task (blessed)  |      Status:  new
 Priority:  normal          |   Milestone:  3.7
Component:  Security        |     Version:  trunk
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |
----------------------------+--------------------

Comment (by iandunn):

 `25174.3.diff` is an all-JS solution. I haven't tested thoroughly yet, but
 I think it's most of the way there. It works fine on the current user's
 profile, another user's profile, the install, and the unit tests.

 The returned array ends up with some extra words like "profile",
 "installation", "admin", etc, but I don't think filtering them out is
 really necessarily. It would make the code a bit more complex and slower,
 and those words are gonna be heavily penalized by the dictionary checks
 anyway.

 Note that [https://github.com/lowe/zxcvbn/issues/33 zxcvbn's user_input
 check is case-sensitive], which significantly reduces the effectiveness of
 the blacklist. It's still a worthwhile improvement, though.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25174#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list