Re: [Savannah-users] password must be more complicated

[Bob Proulx]

Jan Owoc wrote:
> Bob Proulx wrote:
> > Jan Owoc wrote:
> >> [1]  http://www.passwordmeter.com/
> > That is pretty cute.  I don't like the deductions section where it
> 
> I didn't mean to say that this (randomly found) password checker is
> perfect.

No I was serious that I liked it.  I didn't think it was perfect
either.  But it is pretty nicely done and could be adapted to be
perfect.  I thought it was perfect that you suggested it.

> Until this thread surfaced, I didn't know that a program like
> pwqcheck existed,

Me neither.  But with seven billion people on the planet and a very
large number of them creating new things I am often seeing new things
for the first time.  It keeps things interesting.  :-)

> let alone what the phrase "pwqcheck options are:
> 'match=0 max=256 min=24,24,11,8,7' " meant.

Yes.  That is a little obscure.  I was personally happy to see it on
the web site because then I could go look it up.  On a site catering
to technical people like Savannah I think that is quite nice.  However
I know that for non-technical people that would be intimidating.

> I wanted to point out that a large portion of websites that require
> users to generate passwords either:
> 
> A) have rules written out in human-readable form on what is an
> acceptable password (eg. have all 4 of these character classes AND
> be 7 characters long, or have 3 of 3 character classes AND be 8
> characters long, or be at least 24 characters long); the user can
> then count the characters in the password they've invented or
> generated, and know if it would pass
> 
> B) have some sort of JavaScript-based instant-feedback whether the
> password is "poor", "acceptable", or "strong", with the minimum that
> the site accepts being "acceptable"; the user instantly knows if the
> password will be accepted without having to refresh the page

And C) where the user is given no information at all.  :-(

> I think implementing "A" is much simpler than "B". Could we convert
> the phrase "min=24,24,11,8,7" into text that would be understandable
> to the average user of Savannah?

Good idea.  I would suggest something but I lack the time at the moment.

> > It is Javascript but it is only there to provide immediate feedback to
> > the user.  Any real security must exist on the server.  And so would
> > still work just fine if Javascfript is turned off or unavailable such
> > as in lynx, w3m, and so forth.
> 
> Yes, I meant to suggest the JavaScript in addition to the server-side
> checks, as "instant feedback" to the user. It's just that the
> JavaScript, assuming it runs properly, should accept/reject the same
> passwords that the server would then accept/reject.

Sorry.  I was simply voicing the analysis out loud and agreeing with
you as to the benefit of it.  I didn't mean to imply that I was
negatively critical of it.

By way of thought processes I am a big believer in "progressive
enhancement" over "graceful degradation".  And I am sensitive to it
because so many sites go the opposite direction and are therefore
harder to use.  So whenever I see a Javascript component I am always
analyzing it in those ways.

Bob