Stop harassing users and make checks effective

[davidfetter]

While it's tempting to create systems that enforce rules that amount to a regular expression, the effect is to harass users into coming up with passwords that are actually easier to crack than they would be otherwise. Here's an example that's by no means the earliest.

A much better way to harden passwords against attacks is to use things like checks against databases of leaked passwords like this one.

Would you be interested in patches that implemented more helpful interventions? I'm thinking that there could be an API that would let people set what amounts to a list of checks to be run, making it easier to adjust same.

[migopsdinesh]

Totally agree with you on the points, and thank you for sharing the thoughts on this extension. It is a nice thought to check the user credentials via an API to an external service, and yes we are interested in the patches :-)

[migopsdinesh]

@davidfetter, yes we are interested in the patches, which would be having the API communication for the credential checks. Just a thought here, as you already know, most of the production databases will not be having access to the internet, and it would be great if we can do it with in the application subnet for the credentials checks.