Expand the zxcvbn password meter blacklist, based on user input.

props iandunn. see #25174. git-svn-id: https://develop.svn.wordpress.org/trunk@25637 602fd350-edb4-49c9-b593-d223f7449a82
2013-09-28 06:46:29 +00:00 · 2013-09-28 06:46:29 +00:00 · 89febfe766
commit 89febfe766
parent e212691d73
3 changed files with 87 additions and 11 deletions
--- a/src/wp-admin/js/password-strength-meter.js
+++ b/src/wp-admin/js/password-strength-meter.js
@ -1,6 +1,74 @@
-function passwordStrength(password1, username, password2) {
+window.wp = window.wp || {};
+
+var passwordStrength;
+(function($){
+	wp.passwordStrength = {
+		/**
+		 * Determine the strength of a given password
+		 *
+		 * @param string password1 The password
+		 * @param array blacklist An array of words that will lower the entropy of the password
+		 * @param string password2 The confirmed password
+		 */
+		meter : function( password1, blacklist, password2 ) {
+			if ( ! $.isArray( blacklist ) )
+				blacklist = [ blacklist.toString() ];
+
 			if (password1 != password2 && password2.length > 0)
 				return 5;
-	var result = zxcvbn( password1, [ username ] );
+
+			var result = zxcvbn( password1, blacklist );
 			return result.score;
+		},
+
+		/**
+		 * Builds an array of data that should be penalized, because it would lower the entropy of a password if it were used
+		 *
+		 * @return array The array of data to be blacklisted
+		 */
+		userInputBlacklist : function() {
+			var i, userInputFieldsLength, rawValuesLength, currentField,
+				rawValues       = [],
+				blacklist       = [],
+				userInputFields = [ 'user_login', 'first_name', 'last_name', 'nickname', 'display_name', 'email', 'url', 'description', 'weblog_title', 'admin_email' ];
+
+			// Collect all the strings we want to blacklist
+			rawValues.push( document.title );
+			rawValues.push( document.URL );
+
+			userInputFieldsLength = userInputFields.length;
+			for ( i = 0; i < userInputFieldsLength; i++ ) {
+				currentField = $( '#' + userInputFields[ i ] );
+
+				if ( 0 == currentField.length ) {
+					continue;
 				}
+
+				rawValues.push( currentField[0].defaultValue );
+				rawValues.push( currentField.val() );
+			}
+
+			// Strip out non-alphanumeric characters and convert each word to an individual entry
+			rawValuesLength = rawValues.length;
+			for ( i = 0; i < rawValuesLength; i++ ) {
+				if ( rawValues[ i ] ) {
+					blacklist = blacklist.concat( rawValues[ i ].replace( /\W/g, ' ' ).split( ' ' ) );
+				}
+			}
+
+			// Remove empty values, short words, and duplicates. Short words are likely to cause many false positives.
+			blacklist = $.grep( blacklist, function( value, key ) {
+				if ( '' == value || 4 > value.length ) {
+					return false;
+				}
+
+				return $.inArray( value, blacklist ) === key;
+			});
+
+			return blacklist;
+		}
+	}
+
+	// Backwards compatibility.
+	passwordStrength = wp.passwordStrength.meter;
+})(jQuery);
--- a/src/wp-admin/js/user-profile.js
+++ b/src/wp-admin/js/user-profile.js
@ -9,7 +9,7 @@
 			return;
 		}

-		strength = passwordStrength(pass1, user, pass2);
+		strength = wp.passwordStrength.meter( pass1, wp.passwordStrength.userInputBlacklist(), pass2 );

 		switch ( strength ) {
 			case 2:
--- a/tests/qunit/wp-admin/js/password-strength-meter.js
+++ b/tests/qunit/wp-admin/js/password-strength-meter.js
@ -77,15 +77,23 @@ jQuery( function() {
 		}
 	});

-	test( 'username in password should be penalized', function() {
+	test( 'blacklisted words in password should be penalized', function() {
 		var allowedPasswordScore, penalizedPasswordScore,
 			allowedPassword   = 'a[janedoe]4',
 			penalizedPassword = 'a[johndoe]4',
-			username          = 'johndoe';
+			blacklist         = [ 'extra', 'johndoe', 'superfluous' ];

-		allowedPasswordScore = passwordStrength( allowedPassword, username, allowedPassword );
-		penalizedPasswordScore = passwordStrength( penalizedPassword, username, penalizedPassword );
+		allowedPasswordScore = passwordStrength( allowedPassword, blacklist, allowedPassword );
+		penalizedPasswordScore = passwordStrength( penalizedPassword, blacklist, penalizedPassword );

 		ok( penalizedPasswordScore < allowedPasswordScore, 'Penalized password scored ' + penalizedPasswordScore + '; allowed password scored: ' + allowedPasswordScore );
 	});
+
+	test( 'user input blacklist array should contain expected words', function() {
+		var blacklist = wp.passwordStrength.userInputBlacklist();
+
+		ok( jQuery.isArray( blacklist ), 'blacklist is an array' );
+		ok( jQuery.inArray( 'WordPress', blacklist ) > -1, 'blacklist contains "WordPress" from page title' );
+		ok( jQuery.inArray( 'tests', blacklist ) > -1, 'blacklist contains "tests" from site URL' );
+	});
 });