Password Settings should show password strength indicator instead of password length #1857
Comments
|
My personal preference would be to not show any asterisks and instead show a strength bar (weak / medium / strong). If that was something we could do, I'm not sure how the UX would look cc: @bradleyrichter If we wanted to go the extra mile, having a check for each password (against other stored passwords) and flagging passwords which are duplicate as weak or another status like "DANGEROUS" would be ideal. |
|
@bsclifton How about input[type=password] being prefilled with asterisked "Password" as placeholder. If the field is not-mutated load and submit the password. With a strength bar at the bottom. |
|
It's showing the length of the encrypted password. I had thought that for AES-GCM that would always be the same as the length of the plaintext password, but I guess not (due to encoding normalization or something?). Would be easy to switch to fixed-length asterisks. Strength bar is doable too via something like https://github.com/dropbox/zxcvbn |
|
@diracdeltas ah- this is good to know. I only checked a few of my PWs and the encrypted version just happened to be the same length as the plain text That PW strength estimator project you linked to is amazing (how have I not seen that?). For people not wanting to use 1Password, Dashlane, etc showing a strength bar using the logic from that project would be a really nice feature 😄 |
bsclifton
added
the
design
|
@bsclifton sorry, i misread this bug and thought you meant the opposite of what you actually meant. IMO there is not much point to obfuscating the PW length since we are using a password encryption algorithm that preserves the length (it's actually showing length of encrypted password). i guess it helps very slightly against over-the-shoulder attacks. changing bug title to be about password strength indicator which would be a nice enhancement regardless |
diracdeltas
changed the title
ghost
added
|
If no one is working on it, I would love to give it a try 😄 |
|
@MargarytaChepiga i think this is low priority since we are moving away from using our password manager page. however, if you do want to try this, i would use https://github.com/dropbox/zxcvbn for strength indication |
|
I will work on something else then. Thanks for letting me know @diracdeltas! |
bsclifton
added
the
priority/P5
|
Closing as |
bsclifton
added
the
addressed-with-brave-core
Did you search for similar issues before submitting this one?
Yes
Describe the issue you encountered:
Brave's password manager shows all saved user/passwords for each site using asterisks. However, the actual number of asterisks is the actual length of the real password.
Expected behavior:
The password field should either not be shown OR password should be a fixed # of asterisks (so people standing behind a user don't know the exact number of chars for a password).
All versions
All versions
The text was updated successfully, but these errors were encountered: