[wp-trac] [WordPress Trac] #25174: Expand zxcvbn user_input blacklist
WordPress Trac
noreply at wordpress.org
Wed Sep 25 01:42:21 UTC 2013
#25174: Expand zxcvbn user_input blacklist
----------------------------+--------------------
Reporter: iandunn | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 3.7
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch |
----------------------------+--------------------
Comment (by iandunn):
`25174.3.diff` is an all-JS solution. I haven't tested thoroughly yet, but
I think it's most of the way there. It works fine on the current user's
profile, another user's profile, the install, and the unit tests.
The returned array ends up with some extra words like "profile",
"installation", "admin", etc, but I don't think filtering them out is
really necessarily. It would make the code a bit more complex and slower,
and those words are gonna be heavily penalized by the dictionary checks
anyway.
Note that [https://github.com/lowe/zxcvbn/issues/33 zxcvbn's user_input
check is case-sensitive], which significantly reduces the effectiveness of
the blacklist. It's still a worthwhile improvement, though.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25174#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list