It would be really useful to have some guidance on how to choose the correct strength value.
The documentation suggests a value of 0.66, essentially without justification. I've been doing some experimentation, feeding the results of the random-password-generator package into password_strength. This package generates random passwords with upper and lower case characters, numbers and special symbols.
Results suggest that a strength of 0.3 requires 9-10 character passwords to pass, 0.4 requires 11, 0.5 requires 12, 0.6 requires 13-14 characters while strength of 0.66, as recommended, requires a 15-character random password to pass the test.
My gut feeling is that this is excessive. That depends on what you're protecting, of course, and the sort of attack you're protecting against, but here again, some guidance would be useful. Obviously password requirements on a high-value account where we assume that the attacker has access to the password ciphertext will be different to a low-value account where we assume the attacker can brute force test one password every ten seconds. But where is the balance here?
It would be really useful to have some guidance on how to choose the correct strength value.
The documentation suggests a value of 0.66, essentially without justification. I've been doing some experimentation, feeding the results of the
random-password-generator
package intopassword_strength
. This package generates random passwords with upper and lower case characters, numbers and special symbols.Results suggest that a strength of 0.3 requires 9-10 character passwords to pass, 0.4 requires 11, 0.5 requires 12, 0.6 requires 13-14 characters while strength of 0.66, as recommended, requires a 15-character random password to pass the test.
My gut feeling is that this is excessive. That depends on what you're protecting, of course, and the sort of attack you're protecting against, but here again, some guidance would be useful. Obviously password requirements on a high-value account where we assume that the attacker has access to the password ciphertext will be different to a low-value account where we assume the attacker can brute force test one password every ten seconds. But where is the balance here?