Change the names of the Password Strength Level

[fungc-io]

Our password strength level is conflicting with the description of the strength estimation library.

• "Very Unguessable" refers to "Safely Unguessable"
• "Extremely Unguessable" refers to "Very Unguessable"

Suggest to change them to:

• Disabled
• Very Weak
• Weak
• Fair
• Strong
• Very Strong

It's also easier to understand for layman

[linear[bot]]

DEV-1310 Change the names of the Password Strength Level

[chpapa]

Actually the name is not very understandable anyway.

What about if we rename it like these for our Authgear Portal?

• Disabled
• Very Weak: Guessable risky password (guesses < 10^3)
• Weak: Protection from throttled online attacks (guesses < 10^6)
• Fair: Protection from unthrottled online attacks (guesses < 10^8)
• Strong: Moderate protection from offline bruteforce on hashes (guesses <10^10)
• Very Strong: Strong protection from offline bruteforce on hashes (guesses >= 10^10)

Or something like that? to indicate both "no of guesses" and what type of attacks to expect protection from.

[fungc-io]

Yea, it will be useful to have a description. But it maybe too wordy in a dropdown

I'm thinking of presenting them with a vertical slider like this:

[fungc-io]

Hi @arvinho,

This refers to the password strength here,

We are thinking to 1) change the naming, 2) add description to each option.

What to you think is a good way to present them?

[arvinhoux]

@fungc-io Here are suggestions for adjusting the names of password strength levels.

For the descriptions, if they are aimed at general users, I think expressing them in this way may resonate better with users. Providing examples would enhance understanding. Of course, these examples can be modified according to our actual password setting rules.

• None: No password strength level set. (The default minimum password length is 8 characters.)
• Very Weak: The password is very simple, usually consisting of only numbers or letters and is very short. Examples: "123456" or "password".
• Weak: The password is somewhat more complex but still easy to guess or crack. It usually contains only one type of character and is slightly longer. Examples: "abcdef" or "qwerty123".
• Medium: The password has a certain level of complexity, containing multiple types of characters, but it may not be long enough. Examples: "Passw0rd" or "abc123$".
• Strong: The password is relatively strong, containing uppercase and lowercase letters, numbers, and special characters, and is of moderate length. Examples: "A7d$9kL!" or "Str0ngP@ss".
• Very Strong: The password is very strong, usually randomly generated, containing multiple types of characters, and is very long. Examples: "xY7&8k!9#L2mN@" or "6$GkP@2LrQ9*Vw3".

[chpapa]

@arvinhoux

1. It's not "no password set", password is still required (default is min length = 8)
2. The description, while I agree is easier for people to understand, are not technically accurate. I'm afraid it would also create trouble for us when enterprise users review it.

2nd thoughts, we should actually mention the password strength level here is based on zxcvbn, and maybe have a link to our help doc to explain it better.

Maybe we just add on the UI it is based on zxcvbn, and use the official description and score to make it clearer?

[arvinhoux]

I misunderstood earlier. Adjusting it to "None" to represent not using it may be more direct.

Alternatively, we can consider including a reference table in our documentation mapping to the official zxcvbn explanations, and provide a link to the official source. The benefit of doing so is that it can aid general users' understanding while also avoiding potential issues arising from misunderstandings.

[fungc-io]

@arvinho, such table and details are already in the help doc: https://docs.authgear.com/security/password-strength#how-password-strength-is-calculated-in-authgear

Maybe just add a paragraph/help text in the minimum strength selection in the Portal UI and link to the doc.

"Strength level based on [zxcvbn](link) algorithm"

Can you help design that?