Expand zxcvbn user_input blacklist
|Reported by:||iandunn||Owned by:|
The current blacklist only contains the username, but there are other known data about the current user/site that we should discourage using in passwords, because they'll lower the entropy.
I've attached a rough first pass. It needs more work, but I'd like to get some feedback.
- There's probably a better location for zxcvbn_user_input_blacklist()
- Are there performance concerns with zxcvbn_user_input_blacklist() ? There are a lot of function calls and processing, and there may be a more elegant ways to get the same results.
- Any more suggestions for additional generic words to blacklist?
- Are there any security/privacy issues, since all of the data returned by zxcvbn_user_input_blacklist() will be revealed in the page source? Probably not in the typical usage, since it's only shown on user-edit.php (and therefore is already behind a current_user_can() check). There could be issues if it were (mis)used by plugins, though.
- Any other issues?
Note that there's currently a bug in the zxcvbn implementation where user_input is being ignored, so this patch won't actually affect the returned score until Jon's latest patch is committed.