Password strength checker?

Dominion

This is currently my biggest concern with esoTalk. I'm a bit worried that one of my members will ignore instructions and use a weak password. I'd be happy to see some sort of configurable password strength checker in Flarum.

I don't think it needs to be anything very fancy. Something like this should suffice:

[ ] Minimum password length: [_____] characters
- [ ] Must include both uppercase and lowercase letters
- [ ] Must include at least one numeral

... The second two checkboxes to be greyed out if the first one is deselected. That sort of thing. I suppose it would be possible to check the password against the user name and email address, not to mention a list of obviously bad passwords, but I think the above would be plenty sufficient.

Can I look forward to something like this in Flarum?

Allineer

Dominion Toby how about a fourth rule:
[ ] Must include at least one special character?

Toby

Fantastic idea. I think something like this would be worth having in core. https://github.com/flarum/core/issues/168

Dominion

Toby I think something like this would be worth having in core.

Thank you, Toby! I'd certainly prefer to see it in the core. At least, I'd rather not have to rely on third-party plugins to support essential security-related policies.

Allineer how about a fourth rule:

I agree, Allineer, that would make it even better. In fact, you could even do it this way:

[ ] Must include at least one of the following special characters: [_______]

... where the text box at the end could be an editable list of special characters. Though that may be getting a bit too fancy. A simple list of the permissible characters would be quite sufficient.

Allineer

Dominion, why is it necessary to limit the list of special characters?

Dominion

Allineer It isn't, really. But I've seen password generator apps that allow that sort of thing. And language might be a consideration. Some symbols may be more readily available than others, depending on the keyboard layout being used.

The important thing is to have the list of special characters up front so that users know which ones are allowed.

rookietect

Although I think it is very valuable I must say that I hate too specific password requirements.

Dominion

... Which is why there's a checkbox in front of every line. The admin can decide how specific things should get.

Allineer

Dominion maybe you're right, but I think otherwise.
Using any of special characters will slow down bruteforce attack on the password and we must to allow the user to enter any convenient for him.
Any restriction on the set of allowed characters and tip with a list of allowed characters increases the chances of successfully bruteforce and it's speed.

Dominion

The function as I initially suggested it allows admins to decide whether or not they want to enforce the use of uppercase letters and numerals. If we're going to add special characters as a third optional element, it doesn't make sense to argue that the list of available special characters must be indefinitely large. (In other words, if you're going to argue against allowing the admin to restrict the list of special characters, why aren't you also arguing against the checkboxes?)

I don't think it's the place of the software to decide how strong the end user's passwords should be. The software merely has to give the admins the tools they need to enforce the policies they decide on.

If we're going to require users to include special characters, then we should tell them which characters are required, or run the risk of frustrating them. For example, I've frequently had the experience of trying to register with a site that requires the use of special characters but won't say which ones are allowed. After having my password rejected a few times, I simply gave up and went away. And on one memorable occasion, I used a special character that was interpreted as a delimiter, with the result that my password was truncated and ended up being much shorter than I thought it was.

So at the very least, if the software isn't going to tell users which characters they can use, it should at least let them know which ones they can't use. Anyhow, I'm sure Toby and Franz will come with an elegant and rational implementation.