replace custom password validator with zxcvbn (!174) · Merge requests · Corpus / Corpus Server Platform

Aravind swamy Majjuri requested to merge custom-password-validator into develop Apr 16, 2026

Title (semantic)

refactor(auth): replace custom password validator with zxcvbn

Description

This merge request refactors the password validation logic by replacing the existing regex-based validator and hardcoded weak password list with the zxcvbn password strength estimator.

The previous implementation relied on character composition rules (uppercase, digits, special characters) which are known to:

Allow weak but pattern-based passwords (e.g., "Password1!")
Reject strong passphrases (e.g., "correct-horse-battery-staple")
Require ongoing maintenance of weak password lists

The new implementation uses zxcvbn to evaluate password strength based on real-world attack patterns such as dictionary attacks, common substitutions, and user-specific inputs.

A minimum score threshold of 3 (out of 4) is enforced. Validation errors now include actionable feedback and suggestions for improving password strength.

This change aligns the application with modern security practices and NIST SP 800-63B guidelines.

Checklist

Code has been refactored for clarity, maintainability, or security.
Functional behavior improved without breaking existing flows.
All existing tests are passing.
Code adheres to project coding standards.

Edited Apr 16, 2026 by Aravind swamy Majjuri

replace custom password validator with zxcvbn

Title (semantic)

Description

Checklist

Merge request reports