FFI: Add zxcvbn dependency for password strength evaluation#6708
Draft
mredig wants to merge 9 commits into
Draft
FFI: Add zxcvbn dependency for password strength evaluation#6708mredig wants to merge 9 commits into
mredig wants to merge 9 commits into
Conversation
dce70f4 to
a2d0220
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6708 +/- ##
==========================================
+ Coverage 89.94% 89.95% +0.01%
==========================================
Files 397 397
Lines 110751 110751
Branches 110751 110751
==========================================
+ Hits 99611 99628 +17
+ Misses 7367 7350 -17
Partials 3773 3773 ☔ View full report in Codecov by Harness. |
Member
|
Removed myself from review since this is in draft. Is this something that you have been speaking to someone on the team about? If so, it's probably worth binging them here when you're ready. |
Contributor
|
@stefanceriu is plenty aware of this addition as he asked for it. I added him as a reviewer to avoid confusion. |
Member
|
Right, sorry about that Andy, should've said something. EX platform folks suggested this approach and I also raised it with the larger Rust team, nobody saw any problems with it. |
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com> Signed-off-by: mredig <juniper.fife_0b@icloud.com>
bb562b7 to
9239f40
Compare
9239f40 to
bd998a5
Compare
a3edc08 to
12a742e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
PasswordStrengthEstimatorto the FFI layer, backed by thezxcvbncrate. The estimator accepts caller-configuredPasswordStrengthThresholdsso clients can tune ranking boundaries to reflect current hardware attack rates rather than zxcvbn's decade-old defaults. Two built-in threshold sets are provided: one matching zxcvbn's original boundaries, and one tuned for modern hardware (based on hive systems latest/2025 password ranking chart).Notes:
The threshold-to-ranking logic lives in the FFI layer rather than a core crate — it was explicitly requested to add this dependency to the ffi layer, but I believe that was also with the assumption that it'd just be plainly forwarding the public interface of the upstream. This is acknowledged as a deviation from convention per feat: expose m.fully_read event ID on RoomInfo #6569. Happy to move it if preferred.
zxcvbnis pinned to a specific git commit rather than a released version. The latest release (3.1.1) has a bug whereguesses_log10incorrectly caps atlog10(u64::MAX)despite the field being documented as tracking the unsaturated value. This is fixed in master (4e8e784) but not yet released.The Rust crate's output also diverges from the original JS zxcvbn in some cases — it tends to score more harshly, which is conservative and acceptable, but worth noting.
It appears that deny.toml needs an update with the zxcvbn dependency, but I'm not sure if that's my place or something you want to do. I'm happy either way.
I've documented the public API changes in the appropriate changelog files (see Writing changelog entries).
This PR was made with the help of AI.
Signed-off-by: Michael Redig juniper.fife_0b@icloud.com