Closed Bug 531868 Opened 13 years ago Closed 11 years ago

Implement password strength policy for AMO

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect, P3)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: jorgev, Assigned: andy+bugzilla)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [see comment 9])

It looks like there are no password restrictions whatsoever on AMO. I just tested on preview and was able to create a user with a 2 character password. We need to enforce strong passwords, specially for authors, editors and admins.

What needs to be done:
1) Require minimum password length
2) Require minimum password complexity
3) Show password strength meter in account creation and account edit pages.
Severity: critical → normal
Priority: P1 → P2
Password strength in general angers people, so I'm only in favor of this if we can isolate it to accounts that aren't normal users.
I think point 3 is something that can be implemented for everyone without causing any annoyance.

I also think it's pretty standard to have password policies on websites, and people should be mostly used to it. At least having a minimum password length. How could we isolate this for developers if a normal user becomes a developer when submitting an add-on?
(In reply to comment #2)
> I think point 3 is something that can be implemented for everyone without
> causing any annoyance.

Agreed. There's probably a jquery plugin for that.
(In reply to comment #2)
> I also think it's pretty standard to have password policies on websites, and
> people should be mostly used to it. 

The only websites I can think of that require password strength are financial websites. Not any normal entertainment/utility websites like facebook, digg, cnn.com, or even Gmail. There are far more users than developers, and this is a significant barrier to registration.

> How could we isolate this for developers if a normal user becomes a developer
> when submitting an add-on?

We would have to have to require password upgrades at some point after the user gets the additional permissions.
I just tried to change my password in Gmail, and there's a minimum length of 8 characters. This has been my experience for most websites, too. If you're only referring to point (2), then I agree, that's something that can be contained to security-sensitive accounts.
I was referring to point 2. I am fine with a minimum length for everyone.
what do you want the minimum length to be?
Severity: normal → enhancement
Priority: P2 → P5
I think the standard minimum is 8 characters.
Priority: P5 → P3
This bug is for:

1) Require minimum password length of 8 characters
2) Show password strength meter on account creation and account edit pages.
Target Milestone: 5.5 → 4.x (triaged)
Assignee: nobody → jorge
Target Milestone: 4.x (triaged) → 5.8
Jorge,

Are you planning on writing the patch for this yourself?  Regardless, this should wait until after the user management and reg pages are ported to [z].
Assignee: jorge → nobody
Whiteboard: [required amo-editors] → [required amo-editors][z]
Target Milestone: 5.8 → 4.x (triaged)
Duplicate of this bug: 564263
Component: Developer Pages → Public Pages
QA Contact: developers → web-ui
Whiteboard: [required amo-editors][z] → [z]
Duplicate of this bug: 620054
Whiteboard: [z] → [see comment 9]
What is the status of this bug? Are there plans to implement this?
Updating status from "enhancement" to "critical".  This is a security concern that we'd like to see addressed as soon as possible.  Please let us know what issues would block this or need to be further discussed.
Severity: enhancement → critical
This is not on any schedule.  Fligtar, do you have any concerns with comment 9?
I'm fine with comment #9 as long as the feedback is immediate. The user shouldn't submit the page to find out the password was too short.

Schedule-wise, I could see this happening towards the end of Q1 or early Q2 if it's important. We have too many Firefox 4 and other priorities right now for it to take place sooner than that.

We'll need chowse to design the strength meter after his other AMO Q1 priorities unless we have one from another site that we can drop in, and that should probably be a separate design bug.
I'll put this in Q1 for now.  If anyone has recommendations for JS strength meters, please let us know.
Target Milestone: 4.x (triaged) → Q1 2011
The top hit on google for "javascript password strength meter" points to this MIT licensed script http://www.geekwisdom.com/dyn/passwdmeter

That seems decent.
Assignee: nobody → kumar.mcmillan
Blocks: 638173
Target Milestone: Q1 2011 → 6.0.3
Assignee: kumar.mcmillan → nobody
Target Milestone: 6.0.3 → 4.x (triaged)
Assignee: nobody → amckay
Target Milestone: 4.x (triaged) → 6.0.12
Severity: critical → normal
Target Milestone: 6.0.12 → 6.1.0
I filed a few bugs but this is mostly done.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.