feat(strata-cli)!: add hash version and optional password

[storopoli]

Description

• Adds the HashVersion enum to the wallet encryption.
• Adds password strenght assessment with zxcvbn.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature/Enhancement (non-breaking change which adds functionality or enhances an existing one)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor

Checklist

• I have performed a self-review of my code.
• I have commented my code where necessary.
• I have updated the documentation if needed.
• My changes do not introduce new warnings.
• I have added tests that prove my changes are effective or that my feature works.
• New and existing tests pass with my changes.

Related Issues

STR-493 and STR-500.

Screenshot

Empty or very low entropy password:

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 60 lines in your changes missing coverage. Please review.

Project coverage is 57.17%. Comparing base (2486f5c) to head (b3709c1).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
bin/strata-cli/src/seed/password.rs	0.00%	30 Missing ⚠️
bin/strata-cli/src/seed.rs	0.00%	19 Missing ⚠️
bin/strata-cli/src/cmd/change_pwd.rs	0.00%	11 Missing ⚠️

@@            Coverage Diff             @@
##             main     #392      +/-   ##
==========================================
- Coverage   57.35%   57.17%   -0.19%     
==========================================
  Files         255      255              
  Lines       26953    27008      +55     
==========================================
- Hits        15459    15441      -18     
- Misses      11494    11567      +73     

Files with missing lines	Coverage Δ
bin/strata-cli/src/cmd/change_pwd.rs	0.00% <0.00%> (ø)
bin/strata-cli/src/seed.rs	0.00% <0.00%> (ø)
bin/strata-cli/src/seed/password.rs	0.00% <0.00%> (ø)

... and 5 files with indirect coverage changes

[storopoli]

@Zk2u can you please check the impl?
@AaronFeickert can you check if the messages are proper?

[storopoli]

What about?

Suggested change

	"Password strength (estimated crack time): {}",
	"Password strength (estimated time needed by an attacker): {}",

[AaronFeickert]

I think it's neat that the library can do time estimates, but I'm not sure it's particularly useful for the end user. Is a decade sufficiently strong? A thousand years? It's not really actionable.

My recommendation is instead to use the score provided by the library (but without showing it to the user directly). If the score is at least 3 (sufficiently strong), don't provide any feedback. If the score is below that threshold, warn the user and consider providing feedback.

[storopoli]

Thanks for the suggestions, totally agreed.
I've implemented in b3709c1

[storopoli]

PS: Screenshots updated

[AaronFeickert]

Recommend including a citation comment to the relevant OWASP recommendation to justify these magic numbers.

[AaronFeickert]

Also recommend explicitly specifying the output length instead of relying on the None default behavior for the parameters.

[storopoli]

Good catch, done in 953d9f4

[AaronFeickert]

It's a nit, but I wouldn't even bother showing the user the score, since it's not really actionable on its own. If the passphrase is weak and there's feedback, let the user know. If it's strong, just set the passphrase.

[AaronFeickert]

See other comment.

[delbonis]

Fntests failing, it's probably the flaky test.