Skip to content

FFI: Add zxcvbn dependency for password strength evaluation#6708

Draft
mredig wants to merge 9 commits into
matrix-org:mainfrom
mredig:mredig/pw-strength-dependency
Draft

FFI: Add zxcvbn dependency for password strength evaluation#6708
mredig wants to merge 9 commits into
matrix-org:mainfrom
mredig:mredig/pw-strength-dependency

Conversation

@mredig

@mredig mredig commented Jul 1, 2026

Copy link
Copy Markdown

Adds PasswordStrengthEstimator to the FFI layer, backed by the zxcvbn crate. The estimator accepts caller-configured PasswordStrengthThresholds so clients can tune ranking boundaries to reflect current hardware attack rates rather than zxcvbn's decade-old defaults. Two built-in threshold sets are provided: one matching zxcvbn's original boundaries, and one tuned for modern hardware (based on hive systems latest/2025 password ranking chart).

Notes:

  • The threshold-to-ranking logic lives in the FFI layer rather than a core crate — it was explicitly requested to add this dependency to the ffi layer, but I believe that was also with the assumption that it'd just be plainly forwarding the public interface of the upstream. This is acknowledged as a deviation from convention per feat: expose m.fully_read event ID on RoomInfo #6569. Happy to move it if preferred.

  • zxcvbn is pinned to a specific git commit rather than a released version. The latest release (3.1.1) has a bug where guesses_log10 incorrectly caps at log10(u64::MAX) despite the field being documented as tracking the unsaturated value. This is fixed in master (4e8e784) but not yet released.

  • The Rust crate's output also diverges from the original JS zxcvbn in some cases — it tends to score more harshly, which is conservative and acceptable, but worth noting.

  • It appears that deny.toml needs an update with the zxcvbn dependency, but I'm not sure if that's my place or something you want to do. I'm happy either way.

  • I've documented the public API changes in the appropriate changelog files (see Writing changelog entries).

  • This PR was made with the help of AI.

Signed-off-by: Michael Redig juniper.fife_0b@icloud.com

@mredig mredig requested a review from a team as a code owner July 1, 2026 06:26
@mredig mredig requested review from andybalaam and removed request for a team July 1, 2026 06:26
@mredig mredig marked this pull request as draft July 1, 2026 06:31
@mredig mredig force-pushed the mredig/pw-strength-dependency branch from dce70f4 to a2d0220 Compare July 1, 2026 06:38
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.95%. Comparing base (805f981) to head (12a742e).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #6708      +/-   ##
==========================================
+ Coverage   89.94%   89.95%   +0.01%     
==========================================
  Files         397      397              
  Lines      110751   110751              
  Branches   110751   110751              
==========================================
+ Hits        99611    99628      +17     
+ Misses       7367     7350      -17     
  Partials     3773     3773              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@codspeed-hq

codspeed-hq Bot commented Jul 1, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 50 untouched benchmarks


Comparing mredig:mredig/pw-strength-dependency (12a742e) with main (805f981)

Open in CodSpeed

@andybalaam andybalaam removed their request for review July 1, 2026 09:41
@andybalaam

Copy link
Copy Markdown
Member

Removed myself from review since this is in draft.

Is this something that you have been speaking to someone on the team about? If so, it's probably worth binging them here when you're ready.

@manuroe manuroe requested a review from stefanceriu July 1, 2026 11:54
@manuroe

manuroe commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@stefanceriu is plenty aware of this addition as he asked for it. I added him as a reviewer to avoid confusion.

@stefanceriu

Copy link
Copy Markdown
Member

Right, sorry about that Andy, should've said something. EX platform folks suggested this approach and I also raised it with the larger Rust team, nobody saw any problems with it.

mredig added 7 commits July 1, 2026 16:36
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
Signed-off-by: mredig <mredig@gmail.com>
Signed-off-by: mredig <juniper.fife_0b@icloud.com>
@mredig mredig force-pushed the mredig/pw-strength-dependency branch 2 times, most recently from bb562b7 to 9239f40 Compare July 1, 2026 21:56
@mredig mredig force-pushed the mredig/pw-strength-dependency branch from 9239f40 to bd998a5 Compare July 1, 2026 21:56
@mredig mredig force-pushed the mredig/pw-strength-dependency branch from a3edc08 to 12a742e Compare July 2, 2026 07:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants