Password Strength Indicator

Topic: Password Strength Indicator (Read 3051 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Password Strength Indicator

February 17, 2014, 01:39:38 pm

Will be a nice addition. Something similar to WordPress. Most people use 123456, password etc. The reason is that they just do not know.

Re: Password Strength Indicator

Reply #1 – February 17, 2014, 02:34:23 pm

Mixed Feelings.. Pasword strength is subjective and there's an option to force a mixture of characters for passwords: "Required strength for user passwords".
I still think a pasword like "%3ddD$RASewe" is insecure since no one can remember those passwords.

Re: Password Strength Indicator

Reply #2 – February 17, 2014, 06:42:46 pm

The problem is probably "how to define" strong passwords.
Easy to guess passwords are not so subjective, of course really strong passwords are difficult to identify I think.
Either way, an indication that a password is easy to guess is not that bad to me.

The "how to do" is a totally different thing... lol

Re: Password Strength Indicator

Reply #3 – February 18, 2014, 09:00:10 am

Checking for password structure might make users feel like the forum is recording them for later use.
A minimum length is already good enough IMHO. I dunno if I would do a preg match to look for numbers only, etc. Opinions?

Re: Password Strength Indicator

Reply #4 – February 18, 2014, 11:05:05 am

One could write a checker that follows Estimating Password Entropy and Strength from appendix A here This at least gives an idea of how consuming it would be break it. I'm sure someone has already done this, but hey its a good read.

ETA: https://github.com/erikbrannstrom/jQuery-Password-Entropy is not bad as a start, basic in its entropy math but it does have the blacklist word list for the most common passwords (from the RockYou mess)

And more fun .. this is a good article, and its fun to look at the comparison of strength meters vs what is really a strong password. https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ Some of those meters are showing a strong password for things that a computer would not even break a sweat on, and the strong ones are shown as weak although thats not the case. This one is available here https://github.com/lowe/zxcvbn

Re: Password Strength Indicator

Reply #5 – February 18, 2014, 09:27:39 pm

Quote from: Nao – February 18, 2014, 09:00:10 amChecking for password structure might make users feel like the forum is recording them for later use.
A minimum length is already good enough IMHO. I dunno if I would do a preg match to look for numbers only, etc. Opinions?

I guess that's why people are so much skeptic about WordPress.

Sorry for the saracasm, but it is a good feature in my opinion. May be we can fetch the strength of password from any of the password strength checkers available. I am just asking to show them the strength, not force them to use any particular format.

Re: Password Strength Indicator

Reply #6 – February 19, 2014, 02:56:28 am

I did say 'might'.