Open elarb opened 5 years ago
I think a minimum length is good. A maximum length of 128 is necessary to ensure proper data persistence. I think we should not implement any other requirement and leave that to the user.
Maybe you can use the HaveIBeenPwnd.com API to show people that their password has been in a data breach. But I'm not sure if that is possible...
@svenpopping Yea sounds cool and its probably possible, but I think it's kind of out of scope and I don't think that we should depend on an external API for the password
Could use Dropbox's password checker: https://github.com/dropbox/zxcvbn
Currently, the password strength control is very poor (e.g. passwords with a single character are allowed). We should improve the required password strength to protect the users from being compromised (either manually or by automated means).
OWASP has a great guideline that we could follow.