Implement password strength policy for AMO

VERIFIED FIXED in 6.1.0

Status

addons.mozilla.org Graveyard
Public Pages
P3
normal
VERIFIED FIXED
9 years ago
2 years ago

People

(Reporter: jorgev, Assigned: Andy McKay)

Tracking

(Blocks: 1 bug)

unspecified
6.1.0

Details

(Whiteboard: [see comment 9], URL)

(Reporter)

Description

9 years ago
It looks like there are no password restrictions whatsoever on AMO. I just tested on preview and was able to create a user with a 2 character password. We need to enforce strong passwords, specially for authors, editors and admins.

What needs to be done:
1) Require minimum password length
2) Require minimum password complexity
3) Show password strength meter in account creation and account edit pages.
Severity: critical → normal
Priority: P1 → P2
Password strength in general angers people, so I'm only in favor of this if we can isolate it to accounts that aren't normal users.
(Reporter)

Comment 2

9 years ago
I think point 3 is something that can be implemented for everyone without causing any annoyance.

I also think it's pretty standard to have password policies on websites, and people should be mostly used to it. At least having a minimum password length. How could we isolate this for developers if a normal user becomes a developer when submitting an add-on?
(In reply to comment #2)
> I think point 3 is something that can be implemented for everyone without
> causing any annoyance.

Agreed. There's probably a jquery plugin for that.
(In reply to comment #2)
> I also think it's pretty standard to have password policies on websites, and
> people should be mostly used to it. 

The only websites I can think of that require password strength are financial websites. Not any normal entertainment/utility websites like facebook, digg, cnn.com, or even Gmail. There are far more users than developers, and this is a significant barrier to registration.

> How could we isolate this for developers if a normal user becomes a developer
> when submitting an add-on?

We would have to have to require password upgrades at some point after the user gets the additional permissions.
(Reporter)

Comment 5

9 years ago
I just tried to change my password in Gmail, and there's a minimum length of 8 characters. This has been my experience for most websites, too. If you're only referring to point (2), then I agree, that's something that can be contained to security-sensitive accounts.
I was referring to point 2. I am fine with a minimum length for everyone.
what do you want the minimum length to be?
Severity: normal → enhancement
Priority: P2 → P5
(Reporter)

Comment 8

9 years ago
I think the standard minimum is 8 characters.
Priority: P5 → P3
This bug is for:

1) Require minimum password length of 8 characters
2) Show password strength meter on account creation and account edit pages.
Target Milestone: 5.5 → 4.x (triaged)
(Reporter)

Updated

8 years ago
Assignee: nobody → jorge
Target Milestone: 4.x (triaged) → 5.8
Jorge,

Are you planning on writing the patch for this yourself?  Regardless, this should wait until after the user management and reg pages are ported to [z].
(Reporter)

Updated

8 years ago
Assignee: jorge → nobody
Whiteboard: [required amo-editors] → [required amo-editors][z]
Target Milestone: 5.8 → 4.x (triaged)
Duplicate of this bug: 564263

Updated

8 years ago
Component: Developer Pages → Public Pages
QA Contact: developers → web-ui
Whiteboard: [required amo-editors][z] → [z]
Duplicate of this bug: 620054
Whiteboard: [z] → [see comment 9]
What is the status of this bug? Are there plans to implement this?
Updating status from "enhancement" to "critical".  This is a security concern that we'd like to see addressed as soon as possible.  Please let us know what issues would block this or need to be further discussed.
Severity: enhancement → critical
This is not on any schedule.  Fligtar, do you have any concerns with comment 9?
I'm fine with comment #9 as long as the feedback is immediate. The user shouldn't submit the page to find out the password was too short.

Schedule-wise, I could see this happening towards the end of Q1 or early Q2 if it's important. We have too many Firefox 4 and other priorities right now for it to take place sooner than that.

We'll need chowse to design the strength meter after his other AMO Q1 priorities unless we have one from another site that we can drop in, and that should probably be a separate design bug.
I'll put this in Q1 for now.  If anyone has recommendations for JS strength meters, please let us know.
Target Milestone: 4.x (triaged) → Q1 2011
The top hit on google for "javascript password strength meter" points to this MIT licensed script http://www.geekwisdom.com/dyn/passwdmeter

That seems decent.
Assignee: nobody → kumar.mcmillan

Updated

7 years ago
Blocks: 638173
Target Milestone: Q1 2011 → 6.0.3
Assignee: kumar.mcmillan → nobody
Target Milestone: 6.0.3 → 4.x (triaged)
(Assignee)

Updated

7 years ago
Assignee: nobody → amckay
Target Milestone: 4.x (triaged) → 6.0.12
Severity: critical → normal
Target Milestone: 6.0.12 → 6.1.0

Comment 20

7 years ago
I filed a few bugs but this is mostly done.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.