Open dfabulich opened 7 months ago
We require passwords to be at least six characters long, but other than that, we don't have any password complexity requirements.
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
Include a password strength meter to help users create a more complex password and block common and previously breached passwords zxcvbn-ts library can be used for this purpose. Pwned Passwords is a service where passwords can be checked against previously breached passwords. You can host it yourself or use the API.
zxcvbn-ts is in TypeScript, so it probably doesn't make sense to run it from PHP (I guess we could shell out and run Node.js??)
zxcvbn-ts
But, for a start, I think just using it to power our password strength meter (and forbidding weak passwords client side) should be good enough.
We require passwords to be at least six characters long, but other than that, we don't have any password complexity requirements.
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
zxcvbn-ts
is in TypeScript, so it probably doesn't make sense to run it from PHP (I guess we could shell out and run Node.js??)But, for a start, I think just using it to power our password strength meter (and forbidding weak passwords client side) should be good enough.