Update weak check for long passwords

This CL updates passwords check for weakness for long passwords. It runs the zxcvbn-cpp library check for the first 40 characters of the password. Bug: 1119752 Change-Id: I0884e4bc3c32b7e7b44de2a02064e975a2e1d696 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2421516 Commit-Queue: Irina Fedorova <irfedorova@google.com> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#809046}

Update weak check for long passwords
This CL updates passwords check for weakness for long passwords. It runs the zxcvbn-cpp library check for the first 40 characters of the password. Bug: 1119752 Change-Id: I0884e4bc3c32b7e7b44de2a02064e975a2e1d696 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2421516 Commit-Queue: Irina Fedorova <irfedorova@google.com> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#809046}
74478c68 · Irina Fedorova · Commit Bot · 1e82cae4 · 74478c68
Commit 74478c68 authored Sep 21, 2020 by Irina Fedorova Committed by Commit Bot Sep 21, 2020
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 27 deletions

components/password_manager/core/browser/ui/weak_check_utility.cc ...ts/password_manager/core/browser/ui/weak_check_utility.cc +8 -27

No files found.
--- a/components/password_manager/core/browser/ui/weak_check_utility.cc
+++ b/components/password_manager/core/browser/ui/weak_check_utility.cc
@@ -22,36 +22,17 @@ constexpr int kZxcvbnLengthCap = 40;
 // If the password has a score of 2 or less, this password should be marked as
 // weak. The lower the password score, the weaker it is.
-constexpr int kHighSeverityScore = 0;
 constexpr int kLowSeverityScore = 2;
-constexpr int kStrongPasswordScore = 4;
-// Very rough, extremely simplified strength check that only makes sense for
-// long passwords.
-int SimpleLongPasswordStrengthEstimate(const base::string16& password) {
-  base::flat_set<base::char16> chars;
-  for (auto character : password) {
-    chars.insert(character);
-    if (chars.size() > 4) {
-      return kStrongPasswordScore;
-    }
-  }
-  return kHighSeverityScore;
-}
 // Returns the |password| score.
-int PasswordWeakCheck(const base::string16& password) {
+int PasswordWeakCheck(base::StringPiece16 password16) {
-  // zxcvbn's computation time explodes for long passwords, so don't use it for
+  // zxcvbn's computation time explodes for long passwords, so cap at that
-  // those.
+  // number.
-  if (password.size() > kZxcvbnLengthCap) {
+  std::string password =
-    return SimpleLongPasswordStrengthEstimate(password);
+      base::UTF16ToUTF8(password16.substr(0, kZxcvbnLengthCap));
-  }
+  std::vector<zxcvbn::Match> matches = zxcvbn::omnimatch(password);
-  std::vector<zxcvbn::Match> matches =
+  zxcvbn::ScoringResult result =
-      zxcvbn::omnimatch(base::UTF16ToUTF8(password));
+      zxcvbn::most_guessable_match_sequence(password, matches);
-  zxcvbn::ScoringResult result = zxcvbn::most_guessable_match_sequence(
-      base::UTF16ToUTF8(password), matches);
  return zxcvbn::estimate_attack_times(result.guesses).score;
 }