chore!: enforce minimum password length

CHANGELOG.md

@@ -12,6 +12,12 @@ To do this, the `@dfinity/agent` version was updated as well.
 
 The schema command can now output the schema for extension.json files.
 
+### chore!: enforce minimum password length of 9 characters
+
+The [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html) require passwords to be longer than 8 characters.
+This is now enforced when creating new identities.
+Identities protected by a shorter password can still be decrypted.
+
 # 0.21.0
 
 ### feat: dfx killall

docs/cli-reference/dfx-identity.mdx

@@ -138,6 +138,9 @@ dfx identity export alice >generated-id.pem
 
 Use the `dfx identity import` command to create a user identity by importing the user’s key information or security certificate from a PEM file.
 
+*Password policy*: If an identity is imported using `--storage-mode password-protected`, the following requirements apply to the password:
+- The password needs to be longer than 8 characters.
+
 ### Basic usage
 
 ``` bash
@@ -198,6 +201,9 @@ In this example, the `bob_standard` identity is the currently-active user contex
 Use the `dfx identity new` command to add new user identities. You should note that the identities you add are global. They are not confined to a specific project context. Therefore, you can use any identity you add using the `dfx identity new` command in any project.
 Only the characters `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.-_@0123456789` are valid in identity names.
 
+*Password policy*: If an identity is created using `--storage-mode password-protected`, the following requirements apply to the password:
+- The password needs to be longer than 8 characters.
+
 ### Basic usage
 
 ``` bash

e2e/assets/expect_scripts/create_identity_with_invalid_password.exp

@@ -0,0 +1,11 @@
+#!/usr/bin/expect -df
+
+match_max 100000
+set timeout 30
+
+spawn dfx identity new bob --storage-mode password-protected
+expect "Please enter a passphrase for your identity: "
+send -- "1234\r"
+expect "error: Password must be longer than 8 characters."
+send \x03
+expect eof

e2e/assets/expect_scripts/create_identity_with_password.exp

@@ -22,4 +22,4 @@ expect {
 	}
 }
 expect "Decryption complete."
-expect eof
+expect eof

e2e/tests-dfx/identity_encryption.bash

@@ -19,6 +19,7 @@ teardown() {
 @test "can create and use identity with password" {
   assert_command "${BATS_TEST_DIRNAME}/../assets/expect_scripts/init_alice_with_pw.exp"
   assert_command "${BATS_TEST_DIRNAME}/../assets/expect_scripts/create_identity_with_password.exp"
+  assert_command "${BATS_TEST_DIRNAME}/../assets/expect_scripts/create_identity_with_invalid_password.exp"
 }
 
 @test "wrong password is rejected" {

src/dfx-core/src/identity/pem_safekeeping.rs

@@ -168,6 +168,7 @@ fn maybe_decrypt_pem(
     }
 }
 
+#[derive(PartialEq, Eq)]
 enum PromptMode {
     EncryptingToCreate,
     DecryptingToUse,
@@ -180,6 +181,14 @@ fn password_prompt(mode: PromptMode) -> Result<String, EncryptionError> {
     };
     dialoguer::Password::new()
         .with_prompt(prompt)
+        .validate_with(|password: &String| -> Result<(), &str> {
+            // Password may have been set before length check has been implemented, so only reject bad passwords during identity creation
+            if password.len() > 8 || mode == PromptMode::DecryptingToUse {
+                Ok(())
+            } else {
+                Err("Password must be longer than 8 characters.")
+            }
+        })
         .interact()
         .map_err(EncryptionError::ReadUserPasswordFailed)
 }