Re: [Savannah-users] password must be more complicated

[Jan Owoc]

On Wed, May 8, 2013 at 1:34 AM, Bob Proulx <address@hidden> wrote:
>> It is one of the problems, for sure.  Users put together 3 different
>> classes in their 8 chars (already a big pain), it fails, and since the
>> feedback as to why it fails is not specific, they just iterate randomly
>> and find one that works.  Very frustrating.  I've been frustrated by it
>> myself.
>
> Yes.  Let's fix this then.
>
>> Is there a way to get pwqcheck to report more specifically why a pw is
>> bad?
>
> It is actually telling us what it thinks is wrong.  But as far as I
> can tell that is just incorrect.  So we toss it out thinking that it
> isn't really telling us the right thing.  Because it isn't.

I've seen a handful of websites offering a JavaScript-based password
quality checker. The website states something like "you must have a
quality of 40 for me to accept the password", and then the user types
characters, numbers, symbols, etc., until the quality meter hits at
least 40 (of 100). I sometimes dislike that a clever password I've
invented only gets 38, but I get instant feedback, rather than waiting
for the page to reload.

I found one that is GPLv3 [1], so we might be able to adapt it to our
needs. The important thing though, is that if the JavaScript strength
meter says a password is "good", the same algorithm on the server
should accept the password.

[1] http://www.passwordmeter.com/

Jan