cancel
Showing results for 
Search instead for 
Did you mean: 

magento2.1.4 Strange password strength notice

   Did you know you can see the translated content as per your choice?

Translation is in progress. Please check again after few minutes.

magento2.1.4 Strange password strength notice

When I use MagentoCE2.1.4,in the register page,I input a password likes:Cc-2017010 ,then I see the password strength message shows "Strong".Selection_409.png

Then,I change the password to 'Cc-20170109',the password strength turn to 'Medium'Selection_410.png

It seem strange,why the password between longer,the strength lower.

I know the magento2 use the password strength validation from https://github.com/dropbox/zxcvbn. The register page password strength validation from js 'vendor/magento/module-customer/view/frontend/web/js/zxcvbn.js',but this js file is too much code.Does anyone know what's the matter of this case,how does it work?Is it the bug?

 

Also,in https://www.bennish.net/password-strength-checker/ a password strength checker website which use zxcvbn JavaScript library ,I input the above two passwords to check,actually they are strength mainly are same.

Selection_411.png Selection_412.png

2 REPLIES 2

Re: magento2.1.4 Strange password strength notice

Thats interesting isn't it! I have had a little look and I wonder if the first password is not being seen as a date but the second one is?

 

If you look here: https://github.com/dropbox/zxcvbn/blob/master/src/matching.coffee

 

around line 431 it is talking about a date match. Looks like the script sees a "date" as

 date_match: (password) ->
    # a "date" is recognized as:
    #   any 3-tuple that starts or ends with a 2- or 4-digit year,
    #   with 2 or 0 separator chars (1.1.91 or 1191),
    #   maybe zero-padded (01-01-91 vs 1-1-91),
    #   a month between 1 and 12,
    #   a day between 1 and 31.

Your first password doesn't match this criteria but the second one does. 

 

What do you think?

Re: magento2.1.4 Strange password strength notice

@Stu583 thanks!It's mainly the last 8 numbers match the date_match,so the password strength is degraded,but I also find it's not always the date will result in the password strength degrades,such as password 'cC-ioajfff20170801' is strength is same as 'cC-ioajfff2017080'.May be it matches other checkers,I'm not very clear of the password strength check code,they seem complexer and stronger.