[TRST-1.2-L1] Suboptimal password complexity check #534
Description
Description and context
In client/app/prompt.go:104-110, the ValidatePasswordInput function currently verifies the password length using len(input) to ensure it is complex enough. This approach has several drawbacks:
lenreturns the number of bytes, not characters. This approach miscalculates the length of passwords containing multibyte UTF-8 characters (e.g., the Italian é character or emojis), which may appear as less than the required 8 or more visible characters but be longer in byte count. Consequently, users may input visually valid passwords that are rejected or insecurely accepted, undermining both usability and security expectations.- There can be passwords that are long enough, but still very weak (such as "12345678").
- Another small UX issue is the following check in
InputPassword:
if strings.Contains(strings.ToLower(promptText), "new wallet") {
fmt.Println("Password requirements: at least 8 characters")
}The string "new wallet" is not contained in any prompt that uses InputPassword, so this text will never be printed.
Suggested solution
Issue 1 could be addressed with a rune-based length validation. For proper complexity verification, we recommend using a library such as https://github.com/wagslane/go-password-validator which addresses issue 1 and 2.