mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-26 01:35:54 +03:00
[GH-ISSUE #818] Master Password requirement #569
Labels
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/vaultwarden#569
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @brentl99 on GitHub (Jan 17, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/818
When registering users to bitwarden, it enforces an 8 character password requirement, and it warns users of weak passwords. I would like to change this in my configuration so that it requires more strict master password requirements.
I am not too familiar with the code, so I would appreciate any pointers to the area of code that I should look at for this. Also, perhaps someone else has already undertaken such a modification and could share their change.
Thank you.
@dani-garcia commented on GitHub (Jan 18, 2020):
The password requirements are all done client side, so you'd have to modify the clients to make those changes, they can't be made server side.
That said, at least the web vault seems to be using a more complex algorithm than simply password length, it seems to be using zxcvbn:
github.com/bitwarden/jslib@6c8407196b/src/services/passwordGeneration.service.ts (L272)https://github.com/dropbox/zxcvbn
@brentl99 commented on GitHub (Jan 18, 2020):
I have looked a little bit of this, but I have not quite found the connection. Just so I am clear on my description. The attached screen shot is what I am trying to change the validation on:
@brentl99 commented on GitHub (Jan 18, 2020):
I think I found the test for masterPassLength of 8 characters in src/app/settings/change-password.component.ts
@dani-garcia commented on GitHub (Jan 18, 2020):
Ah, it seems zxcvbn is only used for the strength bar and there's still a minimum of 8 chars.
That check for registration is done here, the one you found applies only to the change password option:
github.com/bitwarden/jslib@6c8407196b/src/angular/components/register.component.ts (L81)@brentl99 commented on GitHub (Jan 18, 2020):
Thank you for your help. I made three changes that serve my purposes in v2.10.1.
a) the test for this.masterPassword.length from < 8 to be < 10 (approx line 80)
b) I also changed the if execution logic for strengthResult to be (approx lib 95):
if (strengthResult != null && strengthResult.score < 3) { this.platformUtilsService.showToast('error', this.i18nService.t('errorOccurred'), this.i18nService.t('weakMasterPassword')); return; /**const result = await this.platformUtilsService.showDialog(this.i18nService.t('weakMasterPasswordDesc'), this.i18nService.t('weakMasterPassword'), this.i18nService.t('yes'), this.i18nService.t('no'), 'warning'); if (!result) { return; }*/ }These changes seem to:
The original password code would allow a master password, for example, of "password". This makes absolutely no sense to me, having a password manager accept a weak password.
Thank you for your help.
@paulbou commented on GitHub (Sep 3, 2020):
Hi,
I'm very interested about enforcing the master password requirement.
Unfortunately I'm a total noob and I do not understand where to find the several files to modify.
Could you explain it a little bit more please ?
Thanks !
@bilogic commented on GitHub (Jan 18, 2023):
Password rules should be configurable. And it sounds like an upstream issue rather than Vaultwarden, correct?
@eclairevoyant commented on GitHub (Apr 16, 2023):
possibly relevant: #2412