Skip to content

[Validator] Update the name of a password strength level #50133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 24, 2023
Merged

[Validator] Update the name of a password strength level #50133

merged 1 commit into from
Apr 24, 2023

Conversation

javiereguiluz
Copy link
Member

Q A
Branch? 6.3
Bug fix? no
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

After checking the docs of the new PasswordStrength constraint, I propose to rename the STRENGTH_REASONABLE level name.

"Reasonable" is subjective. In a banking app, reasonable can be level 4 (very strong) and in a one-time password that expires in 60 seconds, reasonable can be level 0 (very weak).

I propose to rename it as a more neutral STRENGTH_MEDIUM name. Other common names for this are "Moderate" and "Fair".

@javiereguiluz javiereguiluz added this to the 6.3 milestone Apr 24, 2023
@nicolas-grekas
Copy link
Member

This has been introduced by @Spomky in #49789. I'd like to have his opinion on this. Does "reasonable" come from any recommended source?

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Apr 24, 2023
edited
Loading

My personal opinion: "reasonable" is appropriate wording.
We take responsibility for defining what's a good tradeoff between strength and being annoying to end users according to external sources. Medium doesn't convey that's it's both good enough and annoying enough and people might over-zealously go for strong just because it feels more ... strong, without realizing the effect on UX.

@javiereguiluz
Copy link
Member Author

In the revision 3 of the "NIST Special Publication 800-63B" (https://pages.nist.gov/800-63-3/sp800-63b.html) (last updates from 2020) they link to this paper when talking about password strength meters:

[Meters] de Carné de Carnavalet, Xavier and Mohammad Mannan. “From Very Weak to Very Strong: Analyzing Password-Strength Meters.” In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014. Available at: http://www.internetsociety.org/sites/default/files/06_3_1.pdf

In that paper we can see the strength scale used by some popular tech companies:

password-strength-levels

Nobody seems to be using "Reasonable" and instead they use "Medium", "Moderate" or "Fair".

@Spomky
Copy link
Contributor

Spomky commented Apr 24, 2023

Hi,

To be honest, when I came up with the word reasonable, I had in mind that it's hard to say how it might evolve in the future. It is also voluntary to use a vague term since in reality it is difficult to really define the strength of a password.
Nevertheless I agree with you and the term should indeed align with common practice in the field and a word like Moderate or Medium would be more appropriate.

@javiereguiluz
Copy link
Member Author

Thanks for your comment @Spomky.

What really made me think about this was the minScore option of the constraint, which can be described as "Which is the reasonable password strength for your app?"

If this "reasonable level" can be configured, then none of the predefined levels can be the reasonable one. I think all depends on the app using it. Thanks!

@nicolas-grekas
Copy link
Member

What about fair or good?

@Spomky
Copy link
Contributor

Spomky commented Apr 24, 2023

We already have very weak, weak, strong, very strong.
In the table, FedEx used the same plus Medium and this is the one proposed in this PR. It looks good to me

nicolas-grekas
nicolas-grekas approved these changes Apr 24, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go, thanks for the contributions to the discussion.

@nicolas-grekas
Copy link
Member

Thank you @javiereguiluz.

@nicolas-grekas nicolas-grekas merged commit 55a38a8 into symfony:6.3 Apr 24, 2023
@javiereguiluz javiereguiluz deleted the constraint_tweak branch April 24, 2023 17:34
@javiereguiluz javiereguiluz mentioned this pull request Apr 24, 2023
Merged
OskarStark added a commit to symfony/symfony-docs that referenced this pull request Apr 26, 2023
@OskarStark
minor #18252 [Validator] Update the name of a level in PasswordStreng…
6f8233d 
…th constraint (javiereguiluz)

This PR was squashed before being merged into the 6.3 branch.

Discussion
----------

[Validator] Update the name of a level in PasswordStrength constraint

This was renamed in symfony/symfony#50133

Commits
-------

e753954 [Validator] Update the name of a level in PasswordStrength constraint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees
No one assigned
Labels
Status: Reviewed Validator
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.
4 participants
@javiereguiluz @nicolas-grekas @Spomky @carsonbot