Skip to content

PasswordStrengthValidator logic always return Weak even for strong password #57074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ucscode opened this issue May 23, 2024 · 6 comments
Open

PasswordStrengthValidator logic always return Weak even for strong password #57074

ucscode opened this issue May 23, 2024 · 6 comments
Labels
Bug Stalled Status: Needs Review Validator

Comments

@ucscode
Copy link

ucscode commented May 23, 2024

Symfony version(s) affected

7.0.*

Description

I am encountering an issue with the PasswordStrength constraint in Symfony. While using the PasswordStrength::STRENGTH_WEAK level for password validation, even strong passwords are being flagged as "very weak" and preventing form submission.

TestCase
  • Password: #Q_81($r7 (This is just an example of the password used)
  • Password Constraint Configuration
new PasswordStrength([
    'minScore' => PasswordStrength::STRENGTH_WEAK
])

How to reproduce

Create a registration form with email and password ensuring that password constraints is set to have minScore as PasswordStrength::STRENGTH_WEAK then submit the form with a stronger password.

The password to submit should contains uppercase, lowercase, specialchars and numbers but should not be more than 9 characters in length.

Possible Solution

The problem boils down to the PasswordStrengthValidator::estimateStrength() method on this code section:

$pool = $lower + $upper + $digit + $symbol + $control + $other;
$entropy = $chars * log($pool, 2) + ($length - $chars) * log($chars, 2);
        
return match (true) {
    $entropy >= 120 => PasswordStrength::STRENGTH_VERY_STRONG,
    $entropy >= 100 => PasswordStrength::STRENGTH_STRONG,
    $entropy >= 80 => PasswordStrength::STRENGTH_MEDIUM,
    $entropy >= 60 => PasswordStrength::STRENGTH_WEAK,
    default => PasswordStrength::STRENGTH_VERY_WEAK,
};
  1. Improve the logic for the $entropy
  2. round off the $entropy value into integer. (Most times it evaluates to decimals lower than 50 (E.G 59.128700474979))

Additional Context

No response
@ucscode ucscode added the Bug label May 23, 2024
@94noni
Copy link
Contributor

94noni commented May 23, 2024

I tend to agree, and here is interesting reading I once read here
#49879

"what is a right password" is a hard thing to tell, for humans between them and for machines as well ^^
I think you can still leverage an "internal estimator" for the constrains in the case, for you, the default password estimator must be considered to be something else

@nicolas-grekas
Copy link
Member

#Q_81($r7 is indeed a weak password: it's way too short, thus can be cracked quite quickly

@ucscode
Copy link
Author

ucscode commented May 23, 2024
edited
Loading

#Q_81($r7 is indeed a weak password: it's way too short, thus can be cracked quite quickly

It may be weak but having a strength of 0 (Very Weak) is not remarkable

@OskarStark OskarStark changed the title PasswordStrengthValidator Logic always return Weak even for strong password PasswordStrengthValidator logic always return Weak even for strong password May 24, 2024
@carsonbot
Copy link

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

@ucscode
Copy link
Author

ucscode commented Nov 25, 2024

Hey, thanks for your report! There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

Well, I had to create a custom password strength estimator constraint that uses Zxcvbn library for validation

@carsonbot carsonbot removed the Stalled label Nov 25, 2024
@carsonbot
Copy link

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Stalled Status: Needs Review Validator
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nicolas-grekas @94noni @xabbuh @carsonbot @ucscode