WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 3 months ago

Last modified 2 days ago

#31647 closed enhancement (fixed)

zxcvbn.js is old

Reported by: muranyia Owned by: pento
Milestone: 4.8 Priority: normal
Severity: normal Version:
Component: External Libraries Keywords:
Focuses: javascript Cc:

Description

wp-includes/js/zxcvbn.min.js is version 1.0 and rather old.
I don't know about other issues but it contains an invalid ("blah-blah") dictionary. For example:

o("male_names",r("wnzrf,wbua,eboreg,zvpunry,jvyyvnz,qnivq,evpuneq,puneyrf,..."))

See https://github.com/dropbox/zxcvbn/blob/master/zxcvbn.js for an up-to-date version.

Attachments (1)

31647.diff (2.4 KB) - added by pento 3 months ago.

Download all attachments as: .zip

Change History (12)

#1 @SergeyBiryukov
2 years ago

  • Component changed from Users to External Libraries

#2 in reply to: ↑ description @ocean90
2 years ago

Replying to muranyia:

I don't know about other issues but it contains an invalid ("blah-blah") dictionary.

We are using ROT13 for the word dictionaries see [25156].

The only change seems to be https://github.com/dropbox/zxcvbn/commit/482ed03a10779ec125100721c2d828b97abf9ea6.

#3 @iseulde
2 years ago

  • Version trunk deleted

#4 @swissspidy
17 months ago

There were quite some changes to the library recently. The current version is 3.5.0.

#5 @muranyia
5 months ago

  • Type changed from defect (bug) to enhancement
  • Version set to 4.6.1

As of Wordpress 4.6.1 zxcvbn.js is still version 1.0. The current version is 4.4.0.

#6 @swissspidy
5 months ago

  • Keywords needs-patch needs-testing added
  • Milestone changed from Awaiting Review to Future Release

#7 @pento
3 months ago

#39260 was marked as a duplicate.

#8 @pento
3 months ago

  • Milestone changed from Future Release to 4.8
  • Owner set to pento
  • Status changed from new to assigned
  • Version 4.6.1 deleted

@pento
3 months ago

#9 @pento
3 months ago

  • Keywords needs-patch needs-testing removed

31647.diff is the diff against zxcvbn master, to transform the word lists into a ROT13 version.

#10 @pento
3 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 39596:

Libraries: Update zxcvbn from version 1.0 to 4.4.1

This includes masses of bug fixes, as well as tweaks to how passwords are scored.

QUnit tests have been updated to reflect tha scoring changes.

Full changelog: https://github.com/dropbox/zxcvbn/compare/v1.0...v4.4.1

Fixes #31647.

#11 @jrchamp
2 days ago

@pento Is there any concern that the rot13 is negatively affecting the accuracy of the password strength evaluation? Specifically, won't this also affect the "keyboard layout" aka adjacency_graphs?

In case changes are needed, it might be worthwhile to also update the copyright line which was changed to "2012-2016 Dan Wheeler and Dropbox, Inc." in upstream.

Thank you for taking a look!

Note: See TracTickets for help on using tickets.