Re: [Savannah-users] password must be more complicated

[Bob Proulx]

Jan Owoc wrote:
> I've seen a handful of websites offering a JavaScript-based password
> quality checker. The website states something like "you must have a
> quality of 40 for me to accept the password", and then the user types
> characters, numbers, symbols, etc., until the quality meter hits at
> least 40 (of 100). I sometimes dislike that a clever password I've
> invented only gets 38, but I get instant feedback, rather than waiting
> for the page to reload.

> [1]  http://www.passwordmeter.com/

That is pretty cute.  I don't like the deductions section where it
deducts points for repeated letters so much because I think it belies
the understanding that random values will have clusters.  But of
course that could be adjusted.  (Think of flipping a coin.  If you
could never repeat the previous value then obviously it won't be a
very random series.  Same concept here.)

It is Javascript but it is only there to provide immediate feedback to
the user.  Any real security must exist on the server.  And so would
still work just fine if Javascfript is turned off or unavailable such
as in lynx, w3m, and so forth.

> I found one that is GPLv3 [1], so we might be able to adapt it to our
> needs. The important thing though, is that if the JavaScript strength
> meter says a password is "good", the same algorithm on the server
> should accept the password.

Agreed.

Thank you for suggesting the tool.  I had not known about it and I am
definitely filing it away for my own use regardless of anything else
that happens with it.  Good stuff.

Bob