User password strength estimation

[leekelleher]

Idea summary

After reading Raymond Chen's blog post - Why is there a passwords.txt file on my system that’s filled with somebody else’s passwords? - I wondered if the passwords.txt could leveraged when a user changes their password with the Umbraco backoffice.

• https://github.com/dropbox/zxcvbn
• https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation

Which categories would the idea fit?

• [X] Back-office
• [ ] Developer Tools
• [ ] Front-end
• [ ] Starter Kits
• [ ] Misc

Code of Conduct

• [X] I agree to follow this project's Code of Conduct.

[fraabye]

Hi @leekelleher

The only thing that really matters here is length and encouraging the use of password managers and passphrases.

Complexity requirements and password expiry makes people create systems, that make password attacks easier. (Fall2022! etc) A sensible minimum requirement is 12+ characters and give bonus points if people use something besides alphanumeric characters.

A strong feature would be to enable API access to something like HaveIBeenPwned to prevent people from using existing, leaked passwords. https://haveibeenpwned.com/API/v2

Kind regards Frederik