On Wed, May 8, 2013 at 1:34 AM, Bob Proulx <b...@proulx.com> wrote: >> It is one of the problems, for sure. Users put together 3 different >> classes in their 8 chars (already a big pain), it fails, and since the >> feedback as to why it fails is not specific, they just iterate randomly >> and find one that works. Very frustrating. I've been frustrated by it >> myself. > > Yes. Let's fix this then. > >> Is there a way to get pwqcheck to report more specifically why a pw is >> bad? > > It is actually telling us what it thinks is wrong. But as far as I > can tell that is just incorrect. So we toss it out thinking that it > isn't really telling us the right thing. Because it isn't.
I've seen a handful of websites offering a JavaScript-based password quality checker. The website states something like "you must have a quality of 40 for me to accept the password", and then the user types characters, numbers, symbols, etc., until the quality meter hits at least 40 (of 100). I sometimes dislike that a clever password I've invented only gets 38, but I get instant feedback, rather than waiting for the page to reload. I found one that is GPLv3 [1], so we might be able to adapt it to our needs. The important thing though, is that if the JavaScript strength meter says a password is "good", the same algorithm on the server should accept the password. [1] http://www.passwordmeter.com/ Jan
