[FEATURE] Password Strength UI

[derek-ho]

Similar to other websites that have password strength UI when creating a user, the security dashboards plugin should have something similar.

• A UI component that shows whether a given password is weak to very strong
• Shows red/green progress bar as password gets stronger

[derek-ho]

Two possible ways we can solve this, as @cwperks pointed out, rule/regex based regex seems to be at odds, or at least not 1:1 with library based password scoring.

Approach 1 (my vote):
Step 1: - Don't allow users to create users with passwords that violate the regex rule specified in the config file
Step 2: - Try to use https://github.com/dropbox/zxcvbn - or similar to match UI with what backend would return for the strength of a given password

We will still allow users to try and send passwords that pass UI/frontend checks, but the backend will make the final call on whether that user's password strength is strong enough to allow for creation

Approach 2:
Step 1: Allow users to set whether they want to use regex based Password creation, or strength based password creation
Step 2: Modify Backend to only use the library if user selected strength based password creation, otherwise just check with the validation regex from the config
Step 3: Match the UI with whatever the user config is

[stephen-crawford]

[Triage] @derek-ho thank you for filing this issue. Going to tag UX/UI, and assign this issue to you ;)

[peternied]

I'm not sure if we have precedence for this kind of scenario, but approach 1 seems like a good candidate.

If you need another alternative, consider adding a parameter to the password setting API such as a 'dry-run' flag. Then you can reuse whatever error comes from the backend system to populate the front end ❌, or a ✔️

[kamingleung]

In general, strong/weak indicators alone is rather ambiguous. We should provide upfront guidance on how to make passwords strong, eliminating any guesses on our users.

As users are typing in their passwords, I would consider specifically listing out which password criteria users are missing, so that users have clear actionable path.

[kamingleung]

@derek-ho

Two possible ways we can solve this, as @cwperks pointed out, rule/regex based regex seems to be at odds, or at least not 1:1 with library based password scoring.

Is there an issue that gives full context behind why we need a password strength UI? What did @cwperks pointed out? Thanks.

[derek-ho]

@kamingleung I think there is two things here -

1. Does the password meet the minimum criteria to be accepted by OpenSearch - should be addressed in another PR: Add Validation to Create User Flow #1581
2. Is the password considered strong enough to be accepted by OpenSearch - related to zxcvbn library. In order to implement this on the UI I am calling the same library the backend is calling to validate the strength of a password - however this doesn't have some specific set of standards as far as I can tell - it is based on how long the library thinks it would take to crack the given password, thus showing it as a progress bar. For example test is a very weak password, test12 is weak (better than test), but test123 is considered very weak again, even though test123 is more complex than test12. Outside of a strength bar I think this will be hard to communicate to users.