Fixes for password checker from r70520:

* Removed the upper bound for brute force complexity checks
* Score for repetitions is now linear and is subtracted from brute force score to avoid overpenalizing long passwords
* Disabled checks by default for now, since many people consider them overly intrusive
* Made OutputPage::addPasswordSecurity() include jQuery just in case it's not already included
* Documented a little

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 86ef2b9..f46cf0f 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5086,7 +5086,7 @@ $wgUploadMaintenance = false;
 /**
  * Enabes or disables JavaScript-based suggestions of password strength
  */
-$wgLivePasswordStrengthChecks = true;
+$wgLivePasswordStrengthChecks = false;
  
 /**
  * For really cool vim folding this needs to be at the end:

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 9f07201..0347aef 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1955,7 +1955,14 @@ class OutputPage {
                }
        }
 
+       /**
+        * Adds JS-based password security checker
+        * @param $passwordId String ID of input box containing password
+        * @param $retypeId String ID of input box containing retyped password
+        * @return none
+        */
        public function addPasswordSecurity( $passwordId, $retypeId ) {
+               $this->includeJQuery();
                $data = array(
                        'password' => '#' . $passwordId,
                        'retype' => '#' . $retypeId,

diff --git a/skins/common/password.js b/skins/common/password.js
index de89559..78b1478 100644 (file)
--- a/skins/common/password.js
+++ b/skins/common/password.js
@@ -5,20 +5,16 @@
  * @todo Check for popular passwords and keyboard sequences (QWERTY, etc)
  */
 
+// Estimates how hard it would be to pick the password using brute forece
 function bruteForceComplexity( pwd ) {
-       var score = 0;
-
-       if ( pwd.length < 16 ) {
-               score = pwd.length * 5;
-       } else {
-               score = 80;
-       }
+       var score = pwd.length * 5;
 
        var regexes = [
                /[a-z]/,
                /[A-Z]/,
                /[0-9]/,
-               /[-_;:\.,'"`~!@#$%\^&\*\(\)\[\]\{\} ]/ ];
+               /[-_;:\.,'"`~!@#$%\^&\*\(\)\[\]\{\} ]/
+       ];
 
        var charClasses = 0;
        for ( var i=0; i< regexes.length; i++ ) {
@@ -42,7 +38,8 @@ function bruteForceComplexity( pwd ) {
        return score;
 }
 
-function repetitionScore( pwd ) {
+// Calculates a penalty to brute force score due to character repetition
+function repetitionAdjustment( pwd ) {
        var unique = '';
        for ( var i=0; i< pwd.length; i++ ) {
                if ( unique.indexOf( pwd[i] ) < 0 ) {
@@ -51,9 +48,10 @@ function repetitionScore( pwd ) {
        }
        var ratio = pwd.length / unique.length - 0.4; // allow up to 40% repetition, reward for less, penalize for more
        
-       return 100 / ratio;
+       return ratio * 10;
 }
 
+// Checks how many simple sequences ("abc", "321") are there in the password
 function sequenceScore( pwd ) {
        pwd = pwd.concat( '\0' );
        var score = 100, sequence = 1;
@@ -62,7 +60,7 @@ function sequenceScore( pwd ) {
                        sequence++;
                } else {
                        if ( sequence > 2 ) {
-                               score -= Math.sqrt( sequence ) * 15;
+                               score -= sequence * 7;
                        }
                        sequence = 1;
                }
@@ -89,23 +87,26 @@ function sequenceScore( pwd ) {
                        return;
                }
                if ( pwd.length > 100 ) pwd = pwd.slice( 0, 100 );
-               var score = Math.min(
+               var scores = [
                        bruteForceComplexity( pwd ),
-                       repetitionScore( pwd ),
+                       repetitionAdjustment( pwd ),
                        sequenceScore( pwd )
-               );
+               ];
+
+               var score = Math.min( scores[0] - scores[1], scores[2] );
                var result = 'good';
                if ( score < 40 ) {
                        result = 'bad';
                } else if ( score < 60 ) {
                        result = 'mediocre';
-               } else if ( score < 85 ) {
+               } else if ( score < 80 ) {
                        result = 'acceptable';
                }
                var message = '<span class="mw-password-' + result + '">' + passwordSecurity.messages['password-strength-' + result]
                        + '</span>';
                $( '#password-strength' ).html(
                        passwordSecurity.messages['password-strength'].replace( '$1', message )
+                        //+ scores
                );
        }