Open
Bug 1901536
Opened 26 days ago
Updated 26 days ago
Add the list of commonly used passwords that we shouldn't allow to RemoteSettings to compare against backup recovery codes
Categories
(Firefox :: Profile Backup, task, P3)
Firefox
Profile Backup
Tracking
()
NEW
People
(Reporter: mconley, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fidefe-device-migration])
When encrypting a backup, we ask the user to provide a recovery code. The rules for those recovery codes roughly match the FxA password rules, in that:
- They must be 8 characters in length or longer
- Must not be the user's email address
- Must not be a commonly used password
(1) is trivial to check. (2) is quite tricky if we don't know the user's email address, but we'll defer solving that until we figure out the onboarding wizard that lets users create accounts. (3) is what this bug is about.
There is a list of commonly used passwords that FxA disallows. I propose we serve that up via RemoteSettings, so that when choosing to encrypt a backup, we can check the user's proposed recovery code against that list.
Updated•26 days ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•