After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 568218 - Enforce keyring password strength
Enforce keyring password strength
Status: RESOLVED WONTFIX
Product: gnome-keyring
Classification: Core
Component: prompting
git master
Other All
: Normal enhancement
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2009-01-18 21:44 UTC by Bojan Smojver
Modified: 2009-04-28 01:28 UTC
See Also:
GNOME target: ---
GNOME version: Unversioned Enhancement


Attachments
Enforce keyring password strength in gnome-keyring (5.58 KB, patch)
2009-01-18 21:46 UTC, Bojan Smojver
none Details | Review
Enforce keyring password strength in gnome-keyring (4.64 KB, patch)
2009-01-18 21:50 UTC, Bojan Smojver
none Details | Review
Enforce keyring password strength in gnome-keyring (7.34 KB, patch)
2009-01-21 02:00 UTC, Bojan Smojver
reviewed Details | Review

Description Bojan Smojver 2009-01-18 21:44:16 UTC
It would be useful to be able to enforce keyring password strength. The attached patch does that. I did compile it, but not test it.
Comment 1 Bojan Smojver 2009-01-18 21:46:54 UTC
Created attachment 126720 [details] [review]
Enforce keyring password strength in gnome-keyring

This compiles, but was not otherwise tested.
Comment 2 Bojan Smojver 2009-01-18 21:50:18 UTC
Created attachment 126721 [details] [review]
Enforce keyring password strength in gnome-keyring

OOPS! Looks like that patch contained unrelated chaff.
Comment 3 Bojan Smojver 2009-01-21 02:00:14 UTC
Created attachment 126892 [details] [review]
Enforce keyring password strength in gnome-keyring

This patch was tested on F-10. Appears to work.
Comment 4 Stef Walter 2009-01-30 22:26:59 UTC
Hmmm. We may need to document what the 0.0 to 10.0 factors actually mean. Is there a succinct way to explain that? Otherwise it'd be confusing for someone trying to actually use the setting via gconf.
Comment 5 Bojan Smojver 2009-01-31 04:08:52 UTC
Yes, there is. The password score will be increased as follows:

- for total length of 0, 1 and 2 characters by -0.2, -0.1 and 0.0
- for total length of 3, 4 and 5 (or more) characters by 0.1, 0.2 and 0.3
- for each digit (up to 3) by 0.1
- for each upper case letter (up to 3) by 0.1
- for each other character (up to 3) by 0.15
Comment 6 Bojan Smojver 2009-01-31 08:29:45 UTC
> - for each other character (up to 3) by 0.15

That should be:

- for each special character (up to 3) by 0.15
Comment 7 Stef Walter 2009-03-03 03:17:46 UTC
I appreciate the effort you've put into this, but I believe that these metrics will be confusing. Usually password strength requirements are rule based and enforced at a low level, with password history and many other things. 

Implementing this properly will require far more code, and we'll also need to consider the other ways that passwords get into the system (APIs) etc...
Comment 8 Bojan Smojver 2009-03-03 19:48:36 UTC
The best thing to do here would be to plug the whole lot in the system password policy enforcement. In other words, run the password through PAM or something like that to see if strength requirements are met.

Until we do that, may I suggest we keep the metrics I mentioned above in the gconf schema and tell users something like this in the manual:

"Password length, number of upper case letters, digits and special characters in your password all contribute to its strength. Keep typing until the strength bar matches the required password strength."

No maths there :-)

As for APIs, we can fix them to obey password strength as well. Programs can already fetch required strength from gconf (so, the know where they need to be), we just need to enforce that.

Comment 9 Bojan Smojver 2009-04-28 01:28:07 UTC
Looks like there is no interest in this. Closing as WONTFIX.