-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password similarity policy is too strict #581
Comments
aeneasr
added a commit
that referenced
this issue
Jul 16, 2020
Some examples of uuids being too similar:
After debugging those a bit I found out the longest common substring check is causing these to fail, not the levenshtein distance. |
I will fix this by requiring the lcs to be propotionally less than 20% of the password length. Or are there any arguments for/against a specific threshold? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In #577 we observe flaky tests because both the user id and the password are generated using UUID v4 and the password policy deemed them too similar.
Given that the entropy is really high, the password policy definitely returned a false positive here and should subsequently be improved (also with tests) to ensure that the false positive rate is reduced.
Reproducing the bug
Check the password policy against a combination of UUIDs
The text was updated successfully, but these errors were encountered: