Password strength estimator

[BurntimeX]

When entering a new password, the user should be shown a visual indicator of the estimated strength of the password.

We could use the following solution: https://github.com/dropbox/zxcvbn

I would also like to remove the existing password security settings (registerpassword*), as these do not always lead to better passwords.

[TimWolla]

I would also like to remove the existing password security settings (registerpassword*), as these do not always lead to better passwords.

Agreed. But I think a somewhat sane security level should be enforced by default then. As an example:

• Either: At least 12 characters
• or: At least 10 characters with lowercase, uppercase and digits.

These do not disallow any obviously strong passwords, but prevent the worst of the bad ones.

The check could then be disabled in development + debug mode to allow stuff like test for testing on localhost.

[BurntimeX]

zxcvbn calculates a score for the password. We could require a minimum value for the score and reject all passwords with a score below 2.

[TimWolla]

That would require putting it both into the client and the PHP clone onto the server, keeping them properly in sync.

But yes, that would probably be the better solution if we're already going for zxcvbn.

[cadeyrn]

Either: At least 12 characters or: At least 10 characters with lowercase, uppercase and digits.

These are classic anti-patterns.

Reading recommendations:

• https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
• https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

[dtdesign]

I agree with @cadeyrn, enforcing arbitrary character classes is stupid. In case you forgot: https://xkcd.com/936/.

It should be sufficient to "validate" the password in the client and if the password is considered weak, notify the user. Maybe even prompt them if it is too weak, but if they want to use it, let them. A certain minimum length should be in place regardless, because we need at least some entropy.

[TimWolla]

I'm very well aware that length beats character classes, that's why my suggestion included the “free pass” with regard to classes once you reached 12 characters (e.g. allowing for diceware passwords or anything coming out of a generator).

For a smaller length at least requiring the three basic character classes (I intentionally left out special characters, because of the bad user experience on phones) ensures that there's some basic security level.

[GangstaSunny]

I agree to @TimWolla but this still wouldn't be a real good solution. Always keep in mind that the most users will then have to use passwords they can't remember. Because of that they will probably reuse their passwords a lot.

It may depend on community and even if its used internally or don't. So it should be - in my opinion - an administrator choice.

[dtdesign]

The biggest misconception about password rules are that they lead to better passwords. They do not, all they do is forcing users to slightly modify their password to match the rules: If password does not qualify, password1! isn't significantly safer. The extra character classes aren't improving the password because many users will use predictable prefixes/suffixes to match the rules.

I guess we could use zxcvbn's password score and add an option to enforce a minimum score, for example, > 0 or > 1. Anything above that is unrealistic and annoys the user. Do not enforce anything else, it wouldn't improve the security.