Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.3k
[Validator] feat : add password strength estimator related documentation#19910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
[Validator] feat : add password strength estimator related documentation#19910
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| In case of need to retrieve the actual strength of a password (e.a. display it in a frontend live next to the password field), the ``estimateStrength`` `dedicated function`_ of the :class:`Symfony\\Component\\Validator\\Constraints\\PasswordStrengthValidator` is a public static function, therefore this function can be retrieved directly from the `PasswordStrengthValidator` class.:: | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Should this data be considered as a sensitive data ?
By analysing the successive scores after each keystroke, is this not much much easier to break a password ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I would not consider it as sensitive data as the strength is not linked to the user and is not encrypted => so the only information that any one would get is how the strength of a password is constructed (which is anyway public as this code is public) but maybe I miss a part of the analysis (I'm not a security expert)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
but I see indeed that it's defined as a Sensitive Parameter in the code =>@smnandre how should we mention it in the documentation?
The change in the code was done to render public the estimateStrength function from the Validator heresymfony/symfony#54881
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think we could replace
(e.a. display it in a frontend live next to the password field)
with
(e.g. compute the score and display it when the user has defined a password)
Just removing the "live" part from the documentation feels better to me... wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I understand what you mean and it feels right indeed => text updated
5c45fca to92d1b5aComparejaviereguiluz commentedMay 28, 2024
Yannick, thanks for this contribution! Your original PR was perfectly fine but, to avoid having to browse many small pages when reading Symfony Docs, we lately avoid creating short articles. That's why, while merging this, I moved the new docs to the constraint article and removed the new doc page. Seef6b6991 |
This PRfixes#19903