cancel
Showing results for 
Search instead for 
Did you mean: 

magento2.1.4 Strange password strength notice

magento2.1.4 Strange password strength notice

When I use MagentoCE2.1.4,in the register page,I input a password likes:Cc-2017010 ,then I see the password strength message shows "Strong".Selection_409.png

Then,I change the password to 'Cc-20170109',the password strength turn to 'Medium'Selection_410.png

It seem strange,why the password between longer,the strength lower.

I know the magento2 use the password strength validation from https://github.com/dropbox/zxcvbn. The register page password strength validation from js 'vendor/magento/module-customer/view/frontend/web/js/zxcvbn.js',but this js file is too much code.Does anyone know what's the matter of this case,how does it work?Is it the bug?

 

Also,in https://www.bennish.net/password-strength-checker/ a password strength checker website which use zxcvbn JavaScript library ,I input the above two passwords to check,actually they are strength mainly are same.

Selection_411.pngSelection_412.png

2 REPLIES

Re: magento2.1.4 Strange password strength notice

Thats interesting isn't it! I have had a little look and I wonder if the first password is not being seen as a date but the second one is?

 

If you look here: https://github.com/dropbox/zxcvbn/blob/master/src/matching.coffee

 

around line 431 it is talking about a date match. Looks like the script sees a "date" as

 date_match: (password) ->
    # a "date" is recognized as:
    #   any 3-tuple that starts or ends with a 2- or 4-digit year,
    #   with 2 or 0 separator chars (1.1.91 or 1191),
    #   maybe zero-padded (01-01-91 vs 1-1-91),
    #   a month between 1 and 12,
    #   a day between 1 and 31.

Your first password doesn't match this criteria but the second one does. 

 

What do you think?

Re: magento2.1.4 Strange password strength notice

@Stu583 thanks!It's mainly the last 8 numbers match the date_match,so the password strength is degraded,but I also find it's not always the date will result in the password strength degrades,such as password 'cC-ioajfff20170801' is strength is same as 'cC-ioajfff2017080'.May be it matches other checkers,I'm not very clear of the password strength check code,they seem complexer and stronger.