Created attachment 189895 [details] Screenshot of a password box - no feedback about password quality A user is prompted to set a password when performing various actions in LibreOffice. For example, a password is requested for the integrated password store or documents can be encrypted by the user. LibreOffice does not require a minimum length and thus complexity for these passwords. A single character is accepted by LibreOffice as a password. In the project, different possibilities are to be evaluated, how the password security can be increased. At least the following possibilities are to be investigated: 1) Introduction of a configurable password policy, (such as password minimal length, should it contain numbers, punctuation, etc) 2) the display of a warning message to the user due to a weakly chosen password, and weakly chosen password, and 3) introduction of a strength-meter, cf. https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation Based on this, the best option (or a combination) is to be implemented.
I'd prefer information over restriction - if a user wants to go with 12345 it should be possible. The rules might be * mixed lower/upper case * numbers included * length >6 What else? Some tips at https://www.nngroup.com/articles/password-creation/
TL;DR: Implement strength meter based on existing code, do not use rules, consider further improvements. 1. PRO: strength-meter 1) There will be existing and reviewed code for it 2) It is not dependent on single rules 3) it is a self-contained component, its only dependency being the password-entry field and minor translation. 2. AGAINST (for now): rules. They need a lot of text and can not capture well how password (cracking) work. Lets say your rules say "special characters": Nice, but several randomly chosen words ("passphrase") might be better, leading to adding 1! to the phrase etc. 3. OPTIONAL/Addition: have an "unmask password" icon. While attackers might look over your shoulder, far more often they don’t, and it adds some comfort when typing more complex passwords or finding a problem with them. 4. OPTIONAL/Addition: Remove hint for case sensitivity. There are many things to be hinted at, but if we do not know we absolutely need it: It takes away attention from more important things. 5. OPTIONAL/Addition: If we feel we need to instruct people about more-than-absolute-essentials here: Lets link to a help page. 6. AGAINST (for now): Configuring a password policy, since it would lead to needed an additional implementation to configure it, ideally via a org-wide policy etc. Also, see problems with rules at 2.
btw.: Since a simple web search for C++ password meter comes up with quite some rule based approaches — https://keepass.info/help/kb/pw_quality_est.html has a description of a non-rule-based approach. The "simple" old algorithm might already be sufficient.
We discussed the topic in the design meeting. The idea is welcome, suggestions were made here. To sum up, a strength meter along with a tooltip sounds like a good solution UI wise. Please don't forget the unhide interaction. The policy should default to allow weak and empty passwords but provides means for companies to raise the security.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/3d5cafbe1727a95a54eb4a65d98d6d79ec46f0c8 tdf#157518: external: bundle zxcvbn-c It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/df79eedf6989ab4c2913a23a7e72079bd719168b tdf#157518: vcl: Introduce vcl control LevelBar It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/b1e24664de424a626f78b9fe002bf4d47c8907d5 tdf#157518: add password policy and strength meter to save with password dialog It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/806656ce4b20aa5b096fe3f072060f6302117afc tdf#157518: vcl: add native macOS rendering support for LevelBar control It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/cdcff8c34144e883eca9dc6e1a85968ed34909c2 tdf#157518: add password strength meter to setmasterpassworddlg It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/e8fc5d7fcab6b283ec0655b1d7cab5bf28fde240 tdf#157518: add password strength bar to sfx2/ui/password.ui It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/861ebce9ca52cbe87121879f159d8ec0cb572755 tdf#157518: add password strength bar to protectsheetdlg.ui It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/fed7b3068dcea2ebf65314c4f212350720631706 tdf#157518: enforce password policy on setmasterpassworddlg It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/ed72c6fbfa02cf98cb0d0f761ef5a7b9ffb894bc tdf#157518: enforce password policy on sfx2/ui/password.ui It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
(In reply to Heiko Tietze from comment #4) > Please don't forget the unhide interaction. The unhide interaction isn't trivial to implement AFAICS, since it will require different backend implementations. Gtk has GtkPasswordEntry (that comes with an unhide interaction built-in) which after being welded should be easy to plug in/swap with existing regular entry fields for passwords. AFAICS there's no trivial solution for this for Windows, would need to cook something custom similar to what Gtk has offers for there. With a custom icon & custom entry. Haven't really researched other backends. Could we file this as a separate enhancement request?
(In reply to Sarper Akdemir (allotropia) from comment #14) > Could we file this as a separate enhancement request? Sure, thought it was trivial.
Created attachment 190859 [details] Password strength bar on GTK / current master
Thanks Sarper! Verified in: Version: 24.2.0.2 (X86_64) / LibreOffice Community Build ID: b1fd3a6f0759c6f806568e15c957f97194bbec8f CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded
Sarper Akdemir committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/10e12d0e6316ac20388f589f062e784e8d9aa630 tdf#157518: add uitest for password policy It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.