Open Bug 1901536 Opened 26 days ago Updated 26 days ago

Add the list of commonly used passwords that we shouldn't allow to RemoteSettings to compare against backup recovery codes

Tracking

()

Status:

NEW

People

(Reporter: mconley, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fidefe-device-migration])

Mike Conley (:mconley) (:⚙️)

Reporter

Description

•

26 days ago

When encrypting a backup, we ask the user to provide a recovery code. The rules for those recovery codes roughly match the FxA password rules, in that:

They must be 8 characters in length or longer
Must not be the user's email address
Must not be a commonly used password

(1) is trivial to check. (2) is quite tricky if we don't know the user's email address, but we'll defer solving that until we figure out the onboarding wizard that lets users create accounts. (3) is what this bug is about.

There is a list of commonly used passwords that FxA disallows. I propose we serve that up via RemoteSettings, so that when choosing to encrypt a backup, we can check the user's proposed recovery code against that list.

Jira Integration Bot

Updated

•

26 days ago

See Also: → https://mozilla-hub.atlassian.net/browse/FIDEFE-5052

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Add the list of commonly used passwords that we shouldn't allow to RemoteSettings to compare against backup recovery codes

Categories

(Firefox :: Profile Backup, task, P3)

Tracking

()

People

(Reporter: mconley, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fidefe-device-migration])

Crash Data

Security

(public)

User Story

Description

Updated