support for zxcvbn?

[petskratt]

have you considered using https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ (implementations https://github.com/dropbox/zxcvbn and https://github.com/bjeavons/zxcvbn-php) as replacement for scoring password strength based on actual enthropy? same library is used in WordPress, for example, and it does have nice option for providing user-specific low-score words like username etc.

(for multilingual support it might make sense to restrict the dictionary size and provide some common local password trends instead)

[kartik-v]

Not sure immediately I will have time for this. But if you can proceed or kickstart this with a PR please go ahead.

The size of the library you mention is also quite large - and many features there maybe probably more pertinent for the security obsessed. So if at all it needs to be implemented it should be a separate option (available to select if needed) rather than replacing the current one (the current implementation should be useful for most simpler use cases).

[petskratt]

For me it is more like a usability & developer mindset than purely security issue - if there are rules like "length > x, must contain numbers, upper and lower case characters" then devs tend to turn on random set of requirements, resulting in users capitalizing first letter, adding 1 and ! to the end.

This bypass doesn't make passwords less breakable and at the same time annoys people who have understood, that longer easily remberable passwords are safer. And we participate in creation of pointless habits :-)

But knowing that you don't have anything against it and are not currently busy already implementing it - I'll put it into my learning/todo list and see if I can produce code fit for PR one day (I'm only learning Yii concepts - but seems that Yii2 is worth investing more time).