[PM-36021] Remove hyphenated words from passphrase generator input/output

[harr1424]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-36021

📔 Objective

This PR removes hyphenated words from the slice of words used to generate passphrases. This accomplishes the following:

• avoid obscure test failures
• avoid passphrase output that appears to violate requested word count

As an example, the word list formerly contained the word "drop-down" which resulted in the following test failure:

failures:

---- test_generate_passphrase_default_words stdout ----

thread 'test_generate_passphrase_default_words' (26459) panicked at crates/bw/tests/generate.rs:208:5:
assertion `left == right` failed: Default passphrase should have 6 words, got: safeness-drop-down-proud-endpoint-siesta-bobble
  left: 7
 right: 6
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

⚠️ 4 words out of 7776 in the wordlist will effectively be filtered from the input of words used to generate a random passphrase, slightly reducing the amount of entropy present in this process.

[github-actions]

Checkmarx One – Scan Summary & Details – dc71ed87-879d-4bad-b1c6-440024f13f07

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

🔍 SDK Breaking Change Detection

SDK Version: PM-36021-Remove-hyphens-from-hyphenated-words-in-EFF-word-list (7c1a610)

Client	Status	Details

| typescript | ⚠️ Workflow execution issues | Check workflow logs for details |

| android | ⚠️ Workflow execution issues | Check workflow logs for details |

Results update as workflows complete.

[quexten]

I don't think we should base changes to cryptographic entropy on the fact that test failures occur. However, I would argue that felt, tip, are two separate words juts as well as felt-tip is one, so in the context of felt-tip-drool, it is unclear whether the user has chosen three words or two. In the context of our application use of joining with -, these words create inconsistent output generation (as discovered by the test).

If we were to do this, we must add a proper comment. We no longer use the EFF wordlist. We should rename the const to EFF_WORDLIST_MODIFIED.

However, this currently introduces a breaking change that makes cryptographic fingerprints incompatible with the old set of fingerprints. The unit tests also confirm this.

sdk-internal/crates/bitwarden-crypto/src/fingerprint.rs

Line 33 in 309618d

let entropy_per_word = (EFF_LONG_WORD_LIST.len() as f64).log2();

Because of this, my suggestion is to actually introduce a tools-owned function to filter the EFF wordlist to exclude these specific words, and to use that in your code.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.51%. Comparing base (3aa1201) to head (8cb78da).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1007      +/-   ##
==========================================
+ Coverage   84.30%   84.51%   +0.20%     
==========================================
  Files         395      403       +8     
  Lines       48632    49981    +1349     
==========================================
+ Hits        41000    42240    +1240     
- Misses       7632     7741     +109     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[harr1424]

The changes to gen_words() effectively reduce the size of the wordlist used, but only local to that function call. The tests in this file have been updated so that word removals have been accounted for.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud