Use zxcvbn-cpp library in the password weakness check

This CL improves the PasswordWeakCheck in weak_check_utility by using the zxcvbn-cpp library for passwords shorter than 40 characters. Bug: 1119752 Change-Id: Ic79c63cc8c622a8fe10dcfb9a6e5fa1e6bcd44ec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2401519 Commit-Queue: Irina Fedorova <irfedorova@google.com> Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#805737}

Use zxcvbn-cpp library in the password weakness check
This CL improves the PasswordWeakCheck in weak_check_utility by using the zxcvbn-cpp library for passwords shorter than 40 characters. Bug: 1119752 Change-Id: Ic79c63cc8c622a8fe10dcfb9a6e5fa1e6bcd44ec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2401519 Commit-Queue: Irina Fedorova <irfedorova@google.com> Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#805737}
a33acce2 · Irina Fedorova · Commit Bot · 39d527dc · a33acce2 · a33acce2
Commit a33acce2 authored Sep 10, 2020 by Irina Fedorova Committed by Commit Bot Sep 10, 2020
5 changed files
--- a/components/password_manager/core/browser/BUILD.gn
+++ b/components/password_manager/core/browser/BUILD.gn
@@ -314,6 +314,7 @@ static_library("browser") {
    "//third_party/abseil-cpp:absl",
    "//third_party/protobuf:protobuf_lite",
    "//third_party/re2",
+    "//third_party/zxcvbn-cpp",
    "//ui/base",
    "//ui/gfx",
    "//ui/gfx/range",

--- a/components/password_manager/core/browser/DEPS
+++ b/components/password_manager/core/browser/DEPS
@@ -26,6 +26,7 @@ include_rules = [
  "+services/network/public/cpp",
  "+services/network/public/mojom",
  "+services/network/test",
+  "+third_party/zxcvbn-cpp",
 ]

 specific_include_rules = {

--- a/components/password_manager/core/browser/ui/insecure_credentials_manager_unittest.cc
+++ b/components/password_manager/core/browser/ui/insecure_credentials_manager_unittest.cc
@@ -30,8 +30,8 @@ constexpr char kPassword2[] = "s3cr3t";
 constexpr char kPassword3[] = "484her";

 constexpr char kWeakPassword1[] = "123456";
-constexpr char kWeakPassword2[] = "654321";
-constexpr char kStrongPassword1[] = "qjdGd6mGdSLnfp8sfsnF5sndslDdnn%ndkfsn8vdv";
+constexpr char kWeakPassword2[] = "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcda";
+constexpr char kStrongPassword1[] = "fnlsr4@cm^mdls@fkspnsg3d";
 constexpr char kStrongPassword2[] = "pmsFlsnoab4nsl#losb@skpfnsbkjb^klsnbs!cns";

 using autofill::PasswordForm;
@@ -605,6 +605,8 @@ TEST_F(InsecureCredentialsManagerTest, SingleCredentialIsWeakAndCompromised) {
  EXPECT_TRUE(IsCompromised(returned_weak_credentials[0].insecure_type));

  ASSERT_EQ(returned_compromised_credentials.size(), 1u);
+  EXPECT_EQ(base::UTF16ToUTF8(returned_compromised_credentials[0].password),
+            kWeakPassword1);
  EXPECT_TRUE(IsWeak(returned_compromised_credentials[0].insecure_type));
  EXPECT_TRUE(IsCompromised(returned_compromised_credentials[0].insecure_type));
 }

--- a/components/password_manager/core/browser/ui/weak_check_utility.cc
+++ b/components/password_manager/core/browser/ui/weak_check_utility.cc
@@ -4,6 +4,11 @@

 #include "components/password_manager/core/browser/ui/weak_check_utility.h"

+#include "base/strings/utf_string_conversions.h"
+#include "third_party/zxcvbn-cpp/native-src/zxcvbn/matching.hpp"
+#include "third_party/zxcvbn-cpp/native-src/zxcvbn/scoring.hpp"
+#include "third_party/zxcvbn-cpp/native-src/zxcvbn/time_estimates.hpp"
+
 namespace password_manager {

 namespace {
@@ -43,8 +48,11 @@ int PasswordWeakCheck(const base::string16& password) {
  if (password.size() > kZxcvbnLengthCap) {
    return SimpleLongPasswordStrengthEstimate(password);
  }
-  // TODO(crbug.com/1119752): Compute result by zxcvbn-cpp.
-  return kHighSeverityScore;
+  std::vector<zxcvbn::Match> matches =
+      zxcvbn::omnimatch(base::UTF16ToUTF8(password));
+  zxcvbn::ScoringResult result = zxcvbn::most_guessable_match_sequence(
+      base::UTF16ToUTF8(password), matches);
+  return zxcvbn::estimate_attack_times(result.guesses).score;
 }

 }  // namespace

--- a/components/password_manager/core/browser/ui/weak_check_utility_unittest.cc
+++ b/components/password_manager/core/browser/ui/weak_check_utility_unittest.cc
@@ -20,6 +20,7 @@ constexpr char kUsername2[] = "bob";
 constexpr char kWeakShortPassword[] = "123456";
 constexpr char kWeakLongPassword[] =
    "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcda";
+constexpr char kStrongShortPassword[] = "fnlsr4@cm^mdls@fkspnsg3d";
 constexpr char kStrongLongPassword[] =
    "pmsFlsnoab4nsl#losb@skpfnsbkjb^klsnbs!cns";

@@ -39,7 +40,8 @@ PasswordForm MakeSavedPassword(base::StringPiece username,

 TEST(WeakCheckUtilityTest, WeakPasswordsNotFound) {
  std::vector<PasswordForm> passwords = {
-      MakeSavedPassword(kUsername1, kStrongLongPassword)};
+      MakeSavedPassword(kUsername1, kStrongShortPassword),
+      MakeSavedPassword(kUsername2, kStrongLongPassword)};

  EXPECT_THAT(BulkWeakCheck(passwords), testing::IsEmpty());
 }
@@ -48,6 +50,7 @@ TEST(WeakCheckUtilityTest, DetectedShortAndLongWeakPasswords) {
  std::vector<PasswordForm> passwords = {
      MakeSavedPassword(kUsername1, kStrongLongPassword),
      MakeSavedPassword(kUsername1, kWeakShortPassword),
+      MakeSavedPassword(kUsername1, kStrongShortPassword),
      MakeSavedPassword(kUsername2, kWeakLongPassword)};

  base::flat_set<base::string16> weak_passwords = BulkWeakCheck(passwords);