Text only | Text with Images

ElkArte Community

Title: Password Strength Indicator
Post by: meetdilip on February 17, 2014, 01:39:38 pm
Will be a nice addition. Something similar to WordPress. Most people use 123456, password etc. The reason is that they just do not know.
Title: Re: Password Strength Indicator
Post by: TE on February 17, 2014, 02:34:23 pm
Mixed Feelings.. Pasword strength is subjective and there's an option to force a mixture of characters for passwords:  "Required strength for user passwords".
I still think a pasword like "%3ddD$RASewe" is insecure since no one can remember those passwords.
Title: Re: Password Strength Indicator
Post by: emanuele on February 17, 2014, 06:42:46 pm
The problem is probably "how to define" strong passwords.
Easy to guess passwords are not so subjective, of course really strong passwords are difficult to identify I think.
Either way, an indication that a password is easy to guess is not that bad to me.

The "how to do" is a totally different thing... lol
Title: Re: Password Strength Indicator
Post by: Nao on February 18, 2014, 09:00:10 am
Checking for password structure might make users feel like the forum is recording them for later use.
A minimum length is already good enough IMHO. I dunno if I would do a preg match to look for numbers only, etc. Opinions?
Title: Re: Password Strength Indicator
Post by: Spuds on February 18, 2014, 11:05:05 am
One could write a checker that follows Estimating Password Entropy and Strength from appendix A here (http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf) This at least gives an idea of how consuming it would be break it.  I'm sure someone has already done this, but hey its a good read.

ETA: https://github.com/erikbrannstrom/jQuery-Password-Entropy is not bad as a start, basic in its entropy math but it does have the blacklist word list for the most common passwords (from the RockYou mess)

And more fun .. this is a good article, and its fun to look at the comparison of strength meters vs what is really a strong password.  https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/  Some of those meters are showing a strong password for things that a computer would not even break a sweat on, and the strong ones are shown as weak although thats not the case.  This one is available here https://github.com/lowe/zxcvbn
Title: Re: Password Strength Indicator
Post by: meetdilip on February 18, 2014, 09:27:39 pm
Quote from: Nao – Checking for password structure might make users feel like the forum is recording them for later use.
A minimum length is already good enough IMHO. I dunno if I would do a preg match to look for numbers only, etc. Opinions?

I guess that's why people are so much skeptic about WordPress.

Sorry for the saracasm, but it is a good feature in my opinion. May be we can fetch the strength of password from any of the password strength checkers available. I am just asking to show them the strength, not force them to use any particular format.
Title: Re: Password Strength Indicator
Post by: Nao on February 19, 2014, 02:56:28 am
I did say 'might'. :P
Text only | Text with Images