From aa16fb2a9e4b6fb33ed80dea2a4c7bfa2234d45c Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 12 Nov 2018 22:54:18 -0500
Subject: [PATCH] password strength function with zxcvbn

---
 package-lock.json                             | 11 ++++++++
 package.json                                  |  4 ++-
 .../passwordGeneration.service.ts             |  1 +
 src/angular/components/register.component.ts  | 26 ++++++++++++++++++-
 src/services/passwordGeneration.service.ts    | 16 ++++++++++++
 5 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 857b8d673b..2daa4b22d1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -178,6 +178,12 @@
       "integrity": "sha512-jzAoSUvqA+183nJO/Sc73CREQJsv+p77WJdn532GqA3YXQzlwRwHhClVa7U4O8iB2sJSR7G3v6f1mJFNkwA9YQ==",
       "dev": true
     },
+    "@types/zxcvbn": {
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/@types/zxcvbn/-/zxcvbn-4.4.0.tgz",
+      "integrity": "sha512-GQLOT+SN20a+AI51y3fAimhyTF4Y0RG+YP3gf91OibIZ7CJmPFgoZi+ZR5a+vRbS01LbQosITWum4ATmJ1Z6Pg==",
+      "dev": true
+    },
     "abbrev": {
       "version": "1.0.9",
       "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.9.tgz",
@@ -7920,6 +7926,11 @@
       "version": "0.8.26",
       "resolved": "https://registry.npmjs.org/zone.js/-/zone.js-0.8.26.tgz",
       "integrity": "sha512-W9Nj+UmBJG251wkCacIkETgra4QgBo/vgoEkb4a2uoLzpQG7qF9nzwoLXWU5xj3Fg2mxGvEDh47mg24vXccYjA=="
+    },
+    "zxcvbn": {
+      "version": "4.4.2",
+      "resolved": "https://registry.npmjs.org/zxcvbn/-/zxcvbn-4.4.2.tgz",
+      "integrity": "sha1-KOwXzwl0PtyrBW3dixsGJizHPDA="
     }
   }
 }
diff --git a/package.json b/package.json
index f2f5666ed6..d1a822950c 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,7 @@
     "@types/papaparse": "^4.5.3",
     "@types/tldjs": "^2.3.0",
     "@types/webcrypto": "0.0.28",
+    "@types/zxcvbn": "^4.4.0",
     "concurrently": "3.5.1",
     "electron": "2.0.11",
     "jasmine": "^3.2.0",
@@ -83,6 +84,7 @@
     "papaparse": "4.6.0",
     "rxjs": "6.3.2",
     "tldjs": "2.3.1",
-    "zone.js": "0.8.26"
+    "zone.js": "0.8.26",
+    "zxcvbn": "4.4.2"
   }
 }
diff --git a/src/abstractions/passwordGeneration.service.ts b/src/abstractions/passwordGeneration.service.ts
index c2d904cc96..a94283d73a 100644
--- a/src/abstractions/passwordGeneration.service.ts
+++ b/src/abstractions/passwordGeneration.service.ts
@@ -8,4 +8,5 @@ export abstract class PasswordGenerationService {
     getHistory: () => Promise<GeneratedPasswordHistory[]>;
     addHistory: (password: string) => Promise<any>;
     clear: () => Promise<any>;
+    passwordStrength: (password: string, userInputs?: string[]) => zxcvbn.ZXCVBNResult;
 }
diff --git a/src/angular/components/register.component.ts b/src/angular/components/register.component.ts
index bad3b3ced9..0880385677 100644
--- a/src/angular/components/register.component.ts
+++ b/src/angular/components/register.component.ts
@@ -7,6 +7,7 @@ import { ApiService } from '../../abstractions/api.service';
 import { AuthService } from '../../abstractions/auth.service';
 import { CryptoService } from '../../abstractions/crypto.service';
 import { I18nService } from '../../abstractions/i18n.service';
+import { PasswordGenerationService } from '../../abstractions/passwordGeneration.service';
 import { PlatformUtilsService } from '../../abstractions/platformUtils.service';
 import { StateService } from '../../abstractions/state.service';
 
@@ -20,13 +21,16 @@ export class RegisterComponent {
     hint: string = '';
     showPassword: boolean = false;
     formPromise: Promise<any>;
+    masterPasswordScore: number;
 
     protected successRoute = 'login';
+    private masterPasswordStrengthTimeout: any;
 
     constructor(protected authService: AuthService, protected router: Router,
         protected i18nService: I18nService, protected cryptoService: CryptoService,
         protected apiService: ApiService, protected stateService: StateService,
-        protected platformUtilsService: PlatformUtilsService) { }
+        protected platformUtilsService: PlatformUtilsService,
+        protected passwordGenerationService: PasswordGenerationService) { }
 
     async submit() {
         if (this.email == null || this.email === '') {
@@ -55,6 +59,16 @@ export class RegisterComponent {
             return;
         }
 
+        const strengthResult = this.passwordGenerationService.passwordStrength(this.masterPassword, null);
+        if (strengthResult != null && strengthResult.score < 3) {
+            const result = await this.platformUtilsService.showDialog(this.i18nService.t('weakMasterPasswordDesc'),
+                this.i18nService.t('weakMasterPassword'), this.i18nService.t('yes'), this.i18nService.t('no'),
+                'warning');
+            if (!result) {
+                return;
+            }
+        }
+
         this.name = this.name === '' ? null : this.name;
         this.email = this.email.trim().toLowerCase();
         const kdf = KdfType.PBKDF2_SHA256;
@@ -87,4 +101,14 @@ export class RegisterComponent {
         this.showPassword = !this.showPassword;
         document.getElementById(confirmField ? 'masterPasswordRetype' : 'masterPassword').focus();
     }
+
+    updatePasswordStrength() {
+        if (this.masterPasswordStrengthTimeout != null) {
+            clearTimeout(this.masterPasswordStrengthTimeout);
+        }
+        this.masterPasswordStrengthTimeout = setTimeout(() => {
+            const strengthResult = this.passwordGenerationService.passwordStrength(this.masterPassword, null);
+            this.masterPasswordScore = strengthResult == null ? null : strengthResult.score;
+        }, 300);
+    }
 }
diff --git a/src/services/passwordGeneration.service.ts b/src/services/passwordGeneration.service.ts
index f5b9b083aa..0eb2d738fe 100644
--- a/src/services/passwordGeneration.service.ts
+++ b/src/services/passwordGeneration.service.ts
@@ -1,3 +1,5 @@
+import * as zxcvbn from 'zxcvbn';
+
 import { CipherString } from '../models/domain/cipherString';
 import { GeneratedPasswordHistory } from '../models/domain/generatedPasswordHistory';
 
@@ -240,6 +242,20 @@ export class PasswordGenerationService implements PasswordGenerationServiceAbstr
         return await this.storageService.remove(Keys.history);
     }
 
+    passwordStrength(password: string, userInputs: string[] = null): zxcvbn.ZXCVBNResult {
+        if (password == null || password.length === 0) {
+            return null;
+        }
+        let globalUserInputs = ['bitwarden', 'bit', 'warden'];
+        if (userInputs != null) {
+            globalUserInputs = globalUserInputs.concat(userInputs);
+        }
+        // Use a hash set to get rid of any duplicate user inputs
+        const finalUserInputs = Array.from(new Set(globalUserInputs));
+        const result = zxcvbn(password, finalUserInputs);
+        return result;
+    }
+
     private async encryptHistory(history: GeneratedPasswordHistory[]): Promise<GeneratedPasswordHistory[]> {
         if (history == null || history.length === 0) {
             return Promise.resolve([]);