[Users] Password strength checker challenge.

John Webster john at xmission.com
Mon Mar 19 19:29:40 CET 2018


Friends,

What are your thoughts on a password/passphrase entropy calculator using zxcvbn.js?

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

Password variable criteria would be fairly easy, "8 character minimum" and "24+ entropy".

Best to have the frontend and backend using the same password strength rules to avoid issues.

Enforcement would have to be on the backend, but if you assume people who actively circumvent the password checks know what they're doing, you wouldn't need any backend check. (this circumvention would be pretty non-trivial)

Need to avoid a case where the frontend check allows, then the backend check denys, and the user gets an ugly error.

Zimbra is supposed to respond to some password practice requests in the coming weeks but I'm unsure this idea is much on their radar.

If we could tackle this as a community that would be fantastic.

I look forward to hearing from you.

- John 




More information about the Users mailing list