Closed
Bug 531868
Opened 15 years ago
Closed 14 years ago
Implement password strength policy for AMO
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P3)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
VERIFIED
FIXED
6.1.0
People
(Reporter: jorgev, Assigned: andy+bugzilla)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [see comment 9])
It looks like there are no password restrictions whatsoever on AMO. I just tested on preview and was able to create a user with a 2 character password. We need to enforce strong passwords, specially for authors, editors and admins.
What needs to be done:
1) Require minimum password length
2) Require minimum password complexity
3) Show password strength meter in account creation and account edit pages.
Updated•15 years ago
|
Severity: critical → normal
Priority: P1 → P2
Comment 1•15 years ago
|
||
Password strength in general angers people, so I'm only in favor of this if we can isolate it to accounts that aren't normal users.
Reporter | ||
Comment 2•15 years ago
|
||
I think point 3 is something that can be implemented for everyone without causing any annoyance.
I also think it's pretty standard to have password policies on websites, and people should be mostly used to it. At least having a minimum password length. How could we isolate this for developers if a normal user becomes a developer when submitting an add-on?
Comment 3•15 years ago
|
||
(In reply to comment #2)
> I think point 3 is something that can be implemented for everyone without
> causing any annoyance.
Agreed. There's probably a jquery plugin for that.
Comment 4•15 years ago
|
||
(In reply to comment #2)
> I also think it's pretty standard to have password policies on websites, and
> people should be mostly used to it.
The only websites I can think of that require password strength are financial websites. Not any normal entertainment/utility websites like facebook, digg, cnn.com, or even Gmail. There are far more users than developers, and this is a significant barrier to registration.
> How could we isolate this for developers if a normal user becomes a developer
> when submitting an add-on?
We would have to have to require password upgrades at some point after the user gets the additional permissions.
Reporter | ||
Comment 5•15 years ago
|
||
I just tried to change my password in Gmail, and there's a minimum length of 8 characters. This has been my experience for most websites, too. If you're only referring to point (2), then I agree, that's something that can be contained to security-sensitive accounts.
Comment 6•15 years ago
|
||
I was referring to point 2. I am fine with a minimum length for everyone.
Comment 7•15 years ago
|
||
what do you want the minimum length to be?
Severity: normal → enhancement
Priority: P2 → P5
Comment 9•15 years ago
|
||
This bug is for:
1) Require minimum password length of 8 characters
2) Show password strength meter on account creation and account edit pages.
Target Milestone: 5.5 → 4.x (triaged)
Reporter | ||
Updated•15 years ago
|
Assignee: nobody → jorge
Target Milestone: 4.x (triaged) → 5.8
Comment 10•15 years ago
|
||
Jorge,
Are you planning on writing the patch for this yourself? Regardless, this should wait until after the user management and reg pages are ported to [z].
Reporter | ||
Updated•15 years ago
|
Assignee: jorge → nobody
Whiteboard: [required amo-editors] → [required amo-editors][z]
Target Milestone: 5.8 → 4.x (triaged)
Updated•14 years ago
|
Component: Developer Pages → Public Pages
QA Contact: developers → web-ui
Whiteboard: [required amo-editors][z] → [z]
Updated•14 years ago
|
Whiteboard: [z] → [see comment 9]
Comment 13•14 years ago
|
||
What is the status of this bug? Are there plans to implement this?
Comment 14•14 years ago
|
||
Updating status from "enhancement" to "critical". This is a security concern that we'd like to see addressed as soon as possible. Please let us know what issues would block this or need to be further discussed.
Severity: enhancement → critical
Comment 15•14 years ago
|
||
This is not on any schedule. Fligtar, do you have any concerns with comment 9?
Comment 16•14 years ago
|
||
I'm fine with comment #9 as long as the feedback is immediate. The user shouldn't submit the page to find out the password was too short.
Schedule-wise, I could see this happening towards the end of Q1 or early Q2 if it's important. We have too many Firefox 4 and other priorities right now for it to take place sooner than that.
We'll need chowse to design the strength meter after his other AMO Q1 priorities unless we have one from another site that we can drop in, and that should probably be a separate design bug.
Comment 17•14 years ago
|
||
I'll put this in Q1 for now. If anyone has recommendations for JS strength meters, please let us know.
Target Milestone: 4.x (triaged) → Q1 2011
Comment 18•14 years ago
|
||
The top hit on google for "javascript password strength meter" points to this MIT licensed script http://www.geekwisdom.com/dyn/passwdmeter
That seems decent.
Updated•14 years ago
|
Assignee: nobody → kumar.mcmillan
Updated•14 years ago
|
Target Milestone: Q1 2011 → 6.0.3
Updated•14 years ago
|
Assignee: kumar.mcmillan → nobody
Target Milestone: 6.0.3 → 4.x (triaged)
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → amckay
Updated•14 years ago
|
Target Milestone: 4.x (triaged) → 6.0.12
Updated•14 years ago
|
Severity: critical → normal
Updated•14 years ago
|
Target Milestone: 6.0.12 → 6.1.0
Assignee | ||
Comment 19•14 years ago
|
||
https://github.com/jbalogh/zamboni/commit/12e04a98e9454cb4f551a2e73f415bae2b6b2255 and
https://github.com/andymckay/zamboni/commit/6ae009dfd671faecda55d23f0acfbbf1c8ce8cc4
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•