1514469 - firefox (sync) account creation password rejection problem

Status: RESOLVED WONTFIX

(Cloud Services :: Server: Firefox Accounts, defect)

Description

[michael]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

Accepted the offer from Firefox to setup Sync.
Chose to create a Firefox Account (to continue to Firefox Sync).
Entered a password of 17 characters, made up of several words.


Actual results:

Form verification highlighted my password box in red, and the flyout password guide had a red warning next to "Must not match this list of common passwords".


Expected results:

It should not have rejected the password on the basis of "match(ing) this list of common passwords".  Not only is my multi-word password not in that list of common passwords, not even the first word in my multi-word password is present in the list of 50k passwords.

Comment 1

[Ryan Kelly [:rfkelly]]

Thanks for the report!

+Shane for further investigation or delegation; I wonder if this could be a false-positive from the bloom filter on common passwords?

Comment 2

[Shane Tomlinson [:stomlinson]]

> I wonder if this could be a false-positive from the bloom filter on common passwords?

Without knowing the exact password (btw, don't give this to anyone, even if they ask), 
this is the most likely cause. We use a bloom filter [1] as the backing data store, 
a bloom filter allows one to test whether a particular item is "probably part of 
the set" or "definitely not part of the set". The "probably part of the set" means 
false positives can and do happen.

We could add additional heuristics to say "well, it's probably not *really* part of 
the set based on X, Y, or Z", when we tried to add additional logic like this previously
it ended up causing even more confusion. We could also try a different filter, e.g.,
a cuckoo [2], though that's a lot of effort for possibly not a lot of reward.

Michael, thank you for the report. I understand your frustration and have been surprised
myself when jibberish passwords get caught, and I implemented the thing. The best I can 
offer short-term is to modify your password in some way so the filter allows it.


[1] - https://en.wikipedia.org/wiki/Bloom_filter
[2] - https://www.cs.cmu.edu/~dga/papers/cuckoo-conext2014.pdf

Comment 3

[michael]

Thanks Shane.  Understood.

My fix was to add a number to the password.

I would recommend that the linked explanation suggest there can be other (unspecific) reasons for the rejection, and that it's suggested the user include a number or symbol in the password.

Comment 4

[Mark Hammond [:markh] [:mhammond]]

(In reply to michael from comment #3)
> I would recommend that the linked explanation suggest there can be other
> (unspecific) reasons for the rejection, and that it's suggested the user
> include a number or symbol in the password.

That sounds reasonable to me. Shane, do you think it's worth opening a server issue for this request before we close this bug?

Comment 5

[Shane Tomlinson [:stomlinson]]

(In reply to Mark Hammond [:markh] from comment #4)
> (In reply to michael from comment #3)
> > I would recommend that the linked explanation suggest there can be other
> > (unspecific) reasons for the rejection, and that it's suggested the user
> > include a number or symbol in the password.
> 
> That sounds reasonable to me. Shane, do you think it's worth opening a
> server issue for this request before we close this bug?

There are already improvements planned [1], adding suggestions to that
bug would make it easier to view feedback from one place.

Thanks for the feedback Michael!

[1] - https://github.com/mozilla/fxa-content-server/issues/6448#issuecomment-414452434