The issue
Some users are complaining that they cannot register because, although GB Password Stength states that their password is strong, the registration form states that it is not.
Flarum information
Password related extensions installed:
- Password Strength Enforcer
- GB Password Strength
I have already read in the Password Strength Enforcer extension page that there might be some discrepancy between the scores seen in client and server because zxcvbn-php is not an exact port of zxcvbn-ts, so I guess that it may be the reason.
However, I think that some of you may have some recommendation to minimize the likelihood of this behavior. I don't think that all the flarum instances have this same issue and nobody has raised the concern or has found a solution/mitigation approach.
Users are reluctant to share with me the passwords that fail, because they usually end up adding some extra characters.
I am not concerned by the users that warn me (I simply tell them to pick a longer password), but by the users that simply say "it doesn't work" and never create an account.
FYI, I have Password Stength Enforcer set to "Strong". I may reduce the level of security, but intuitively, it doesn't look like a very safe practice.
