Index: src/wp-admin/js/password-strength-meter.js =================================================================== --- src/wp-admin/js/password-strength-meter.js (revision 25617) +++ src/wp-admin/js/password-strength-meter.js (working copy) @@ -1,6 +1,64 @@ -function passwordStrength(password1, username, password2) { +/** + * Determine the strength of a given password + * + * @param string password1 The password + * @param array blacklist An array of words that will lower the entropy of the password + * @param string password2 The confirmed password + */ +function passwordStrength( password1, blacklist, password2 ) { + if ( ! jQuery.isArray( blacklist ) ) + blacklist = [ blacklist.toString() ]; + if (password1 != password2 && password2.length > 0) return 5; - var result = zxcvbn( password1, [ username ] ); + + var result = zxcvbn( password1, blacklist ); return result.score; } + +/** + * Builds an array of data that should be penalized, because it would lower the entropy of a password if it were used + * + * @return array The array of data to be blacklisted + */ +function buildUserInputBlacklist() { + var i, userInputFieldsLength, rawValuesLength, currentField, + rawValues = [], + blacklist = [], + userInputFields = [ 'user_login', 'first_name', 'last_name', 'nickname', 'display_name', 'email', 'url', 'description', 'weblog_title', 'admin_email' ]; + + // Collect all the strings we want to blacklist + rawValues.push( jQuery( 'title' ).text() ); + rawValues.push( document.URL ); + + userInputFieldsLength = userInputFields.length; + for ( i = 0; i < userInputFieldsLength; i++ ) { + currentField = jQuery( '#' + userInputFields[ i ] ); + + if ( 0 == currentField.length ) { + continue; + } + + rawValues.push( currentField[0].defaultValue ); + rawValues.push( currentField.val() ); + } + + // Strip out non-alphanumeric characters and convert each word to an individual entry + rawValuesLength = rawValues.length; + for ( i = 0; i < rawValuesLength; i++ ) { + if ( rawValues[ i ] ) { + blacklist = blacklist.concat( rawValues[ i ].replace( /\W/g, ' ' ).split( ' ' ) ); + } + } + + // Remove empty values, short words, and duplicates. Short words are likely to cause many false positives. + blacklist = jQuery.grep( blacklist, function( value, key ) { + if ( '' == value || 4 > value.length ) { + return false; + } + + return jQuery.inArray( value, blacklist ) === key; + }); + + return blacklist; +} \ No newline at end of file Index: src/wp-admin/js/user-profile.js =================================================================== --- src/wp-admin/js/user-profile.js (revision 25617) +++ src/wp-admin/js/user-profile.js (working copy) @@ -9,7 +9,7 @@ return; } - strength = passwordStrength(pass1, user, pass2); + strength = passwordStrength( pass1, buildUserInputBlacklist(), pass2 ); switch ( strength ) { case 2: Index: tests/qunit/wp-admin/js/password-strength-meter.js =================================================================== --- tests/qunit/wp-admin/js/password-strength-meter.js (revision 25617) +++ tests/qunit/wp-admin/js/password-strength-meter.js (working copy) @@ -77,14 +77,14 @@ } }); - test( 'username in password should be penalized', function() { + test( 'blacklisted words in password should be penalized', function() { var allowedPasswordScore, penalizedPasswordScore, allowedPassword = 'a[janedoe]4', penalizedPassword = 'a[johndoe]4', - username = 'johndoe'; + blacklist = [ 'extra', 'johndoe', 'superfluous' ]; - allowedPasswordScore = passwordStrength( allowedPassword, username, allowedPassword ); - penalizedPasswordScore = passwordStrength( penalizedPassword, username, penalizedPassword ); + allowedPasswordScore = passwordStrength( allowedPassword, blacklist, allowedPassword ); + penalizedPasswordScore = passwordStrength( penalizedPassword, blacklist, penalizedPassword ); ok( penalizedPasswordScore < allowedPasswordScore, 'Penalized password scored ' + penalizedPasswordScore + '; allowed password scored: ' + allowedPasswordScore ); });