Skip to content

[Validator] feat : add password strength estimator related documentation #19910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 28, 2024
Merged

[Validator] feat : add password strength estimator related documentation #19910

merged 1 commit into from
May 28, 2024

Conversation

yalit
Copy link
Contributor

@yalit yalit commented May 21, 2024

This PR fixes #19903

@yalit yalit requested a review from xabbuh as a code owner May 21, 2024 21:55
@carsonbot carsonbot added this to the 7.2 milestone May 21, 2024
smnandre
smnandre reviewed May 22, 2024
View reviewed changes
validation/passwordStrength/get_or_override_estimate_strength.rst Outdated
Comment on lines 9 to 10
In case of need to retrieve the actual strength of a password (e.a. display it in a frontend live next to the password field), the ``estimateStrength`` `dedicated function`_ of the :class:`Symfony\\Component\\Validator\\Constraints\\PasswordStrengthValidator` is a public static function, therefore this function can be retrieved directly from the `PasswordStrengthValidator` class.::

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this data be considered as a sensitive data ?

By analysing the successive scores after each keystroke, is this not much much easier to break a password ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not consider it as sensitive data as the strength is not linked to the user and is not encrypted => so the only information that any one would get is how the strength of a password is constructed (which is anyway public as this code is public) but maybe I miss a part of the analysis (I'm not a security expert)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but I see indeed that it's defined as a Sensitive Parameter in the code => @smnandre how should we mention it in the documentation?
The change in the code was done to render public the estimateStrength function from the Validator here symfony/symfony#54881

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could replace

(e.a. display it in a frontend live next to the password field)

with

(e.g. compute the score and display it when the user has defined a password)

Just removing the "live" part from the documentation feels better to me... wdyt ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand what you mean and it feels right indeed => text updated

@carsonbot carsonbot changed the title feat : add password strength estimator related documentation [Validator] feat : add password strength estimator related documentation May 28, 2024
@javiereguiluz javiereguiluz force-pushed the fix_19903_password_strength_get_or_override branch from 5c45fca to 92d1b5a Compare May 28, 2024 08:18
@javiereguiluz javiereguiluz merged commit 6d7db6e into symfony:7.2 May 28, 2024
2 of 3 checks passed
@javiereguiluz
Copy link
Member

Yannick, thanks for this contribution!

Your original PR was perfectly fine but, to avoid having to browse many small pages when reading Symfony Docs, we lately avoid creating short articles. That's why, while merging this, I moved the new docs to the constraint article and removed the new doc page. See f6b6991

@javiereguiluz javiereguiluz mentioned this pull request May 28, 2024
Closed
@yalit yalit deleted the fix_19903_password_strength_get_or_override branch May 28, 2024 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smnandre smnandre smnandre left review comments

@xabbuh xabbuh Awaiting requested review from xabbuh xabbuh is a code owner

Assignees
No one assigned
Labels
Status: Reviewed Validator
Projects
None yet
Milestone
7.2
Development

Successfully merging this pull request may close these issues.
4 participants
@yalit @javiereguiluz @smnandre @carsonbot