Password strength indicator

[benjamincharity]

Really enjoyed this experience.. very clear:

[brendanjerwin]

We should talk about this. NIST recommendations have changed. In order to do this, we will actually want a service that can, among other things, check the password against a database of known leaked passwords.

https://pages.nist.gov/800-63-3/sp800-63b.html Section 5.1.1.2 Memorized Secret Verifiers

[benjamincharity]

@brendanjerwin is the thought that we would have 2-part validation of sorts?

1. UI checking that the password input matches our format requirements
2. UI hits service to verify password is not compromised etc.

Would 2 be something that is happening as the user types or something that happens on form submission (like checking that a username is available etc)

[brendanjerwin]

something like that. But, keep in mind that format requirements, as they traditionally are described, are no longer part of the NIST recommendation. (All that BS around "at least one special character" etc...) 'Strength' is primarily a function of length, lack of repeated characters, and not being in the corpus of known passwords.

[benjamincharity]

Makes sense. Will Terminus be updating what we require for passwords? When I started it was a) between 6 & 100 characters, b) contains at least one number.

[brendanjerwin]

Yeah. I’m shaking trees to find who I need to talk to. BTW I’m noodling in some ideas that might let us do this all client side... thinking we might be able to ship a bloom filter of the compromised password corpus to the client.

[benjamincharity]

Oh nice. That sounds like a great idea