Closed Bug 531868 Opened 13 years ago Closed 11 years ago
Implement password strength policy for AMO
It looks like there are no password restrictions whatsoever on AMO. I just tested on preview and was able to create a user with a 2 character password. We need to enforce strong passwords, specially for authors, editors and admins. What needs to be done: 1) Require minimum password length 2) Require minimum password complexity 3) Show password strength meter in account creation and account edit pages.
Password strength in general angers people, so I'm only in favor of this if we can isolate it to accounts that aren't normal users.
I think point 3 is something that can be implemented for everyone without causing any annoyance. I also think it's pretty standard to have password policies on websites, and people should be mostly used to it. At least having a minimum password length. How could we isolate this for developers if a normal user becomes a developer when submitting an add-on?
(In reply to comment #2) > I think point 3 is something that can be implemented for everyone without > causing any annoyance. Agreed. There's probably a jquery plugin for that.
(In reply to comment #2) > I also think it's pretty standard to have password policies on websites, and > people should be mostly used to it. The only websites I can think of that require password strength are financial websites. Not any normal entertainment/utility websites like facebook, digg, cnn.com, or even Gmail. There are far more users than developers, and this is a significant barrier to registration. > How could we isolate this for developers if a normal user becomes a developer > when submitting an add-on? We would have to have to require password upgrades at some point after the user gets the additional permissions.
I just tried to change my password in Gmail, and there's a minimum length of 8 characters. This has been my experience for most websites, too. If you're only referring to point (2), then I agree, that's something that can be contained to security-sensitive accounts.
I was referring to point 2. I am fine with a minimum length for everyone.
what do you want the minimum length to be?
Severity: normal → enhancement
Priority: P2 → P5
I think the standard minimum is 8 characters.
Priority: P5 → P3
This bug is for: 1) Require minimum password length of 8 characters 2) Show password strength meter on account creation and account edit pages.
Target Milestone: 5.5 → 4.x (triaged)
Assignee: nobody → jorge
Target Milestone: 4.x (triaged) → 5.8
Jorge, Are you planning on writing the patch for this yourself? Regardless, this should wait until after the user management and reg pages are ported to [z].
Assignee: jorge → nobody
Whiteboard: [required amo-editors] → [required amo-editors][z]
Target Milestone: 5.8 → 4.x (triaged)
Component: Developer Pages → Public Pages
QA Contact: developers → web-ui
Whiteboard: [required amo-editors][z] → [z]
What is the status of this bug? Are there plans to implement this?
Updating status from "enhancement" to "critical". This is a security concern that we'd like to see addressed as soon as possible. Please let us know what issues would block this or need to be further discussed.
Severity: enhancement → critical
This is not on any schedule. Fligtar, do you have any concerns with comment 9?
I'm fine with comment #9 as long as the feedback is immediate. The user shouldn't submit the page to find out the password was too short. Schedule-wise, I could see this happening towards the end of Q1 or early Q2 if it's important. We have too many Firefox 4 and other priorities right now for it to take place sooner than that. We'll need chowse to design the strength meter after his other AMO Q1 priorities unless we have one from another site that we can drop in, and that should probably be a separate design bug.
I'll put this in Q1 for now. If anyone has recommendations for JS strength meters, please let us know.
Target Milestone: 4.x (triaged) → Q1 2011
Assignee: kumar.mcmillan → nobody
Target Milestone: 6.0.3 → 4.x (triaged)
https://github.com/jbalogh/zamboni/commit/12e04a98e9454cb4f551a2e73f415bae2b6b2255 and https://github.com/andymckay/zamboni/commit/6ae009dfd671faecda55d23f0acfbbf1c8ce8cc4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
I filed a few bugs but this is mostly done.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.