Browse Source

Add note about false positives on password check

Since the check to see if a password has been present in a data breach
is using a Bloom filter, there's a small chance of false positives (I
believe it's 0.1% currently). This is confusing when it happens, so this
just clarifies that it's possible but they'll have to pick a new
password anyway.
merge-requests/55/head
Chad Birch 6 years ago
parent
commit
999ac80863
  1. 1
      tildes/scss/modules/_sidebar.scss
  2. 2
      tildes/tildes/schemas/user.py
  3. 5
      tildes/tildes/templates/includes/password_restrictions.jinja2

1
tildes/scss/modules/_sidebar.scss

@ -4,7 +4,6 @@
#sidebar { #sidebar {
p { p {
margin-bottom: 0.4rem; margin-bottom: 0.4rem;
line-height: 1rem;
} }
.btn { .btn {

2
tildes/tildes/schemas/user.py

@ -90,7 +90,7 @@ class UserSchema(Schema):
return return
if is_breached_password(value): if is_breached_password(value):
raise ValidationError("That password exists in a data breach")
raise ValidationError("That password exists in a data breach (see sidebar)")
@pre_load @pre_load
def prepare_email_address(self, data: dict) -> dict: def prepare_email_address(self, data: dict) -> dict:

5
tildes/tildes/templates/includes/password_restrictions.jinja2

@ -6,6 +6,9 @@
<ul> <ul>
<li>At least 8 characters long.</li> <li>At least 8 characters long.</li>
<li>Does not contain the username, and is not contained in the username.</li> <li>Does not contain the username, and is not contained in the username.</li>
<li>Has not been previously exposed in a data breach (checked locally against a list downloaded from <a href="https://haveibeenpwned.com/Passwords" target="_blank">Troy Hunt's "Have I been pwned?"</a>).</li>
<li>
<p>Has not been previously exposed in a data breach (checked locally against a list downloaded from <a href="https://haveibeenpwned.com/Passwords" target="_blank">Troy Hunt's "Have I been pwned?"</a>).</p>
<p class="text-small ml-2">Note: this check uses a <a href="https://en.wikipedia.org/wiki/Bloom_filter" target="_blank">Bloom filter</a>, so false positives are possible (but very rare). Even if it is a false positive, you must choose a different password.</p>
</li>
</ul> </ul>
</dd> </dd>
Loading…
Cancel
Save