On Mon, May 13, 2013 at 4:06 PM, Bob Proulx <b...@proulx.com> wrote: > Jan Owoc wrote: >> I've seen a handful of websites offering a JavaScript-based password >> quality checker. The website states something like "you must have a >> quality of 40 for me to accept the password", and then the user types >> characters, numbers, symbols, etc., until the quality meter hits at >> least 40 (of 100). I sometimes dislike that a clever password I've >> invented only gets 38, but I get instant feedback, rather than waiting >> for the page to reload. > >> [1] http://www.passwordmeter.com/ > > That is pretty cute. I don't like the deductions section where it > deducts points for repeated letters so much because I think it belies > the understanding that random values will have clusters. But of > course that could be adjusted. (Think of flipping a coin. If you > could never repeat the previous value then obviously it won't be a > very random series. Same concept here.)
I didn't mean to say that this (randomly found) password checker is perfect. Until this thread surfaced, I didn't know that a program like pwqcheck existed, let alone what the phrase "pwqcheck options are: 'match=0 max=256 min=24,24,11,8,7' " meant. I wanted to point out that a large portion of websites that require users to generate passwords either: A) have rules written out in human-readable form on what is an acceptable password (eg. have all 4 of these character classes AND be 7 characters long, or have 3 of 3 character classes AND be 8 characters long, or be at least 24 characters long); the user can then count the characters in the password they've invented or generated, and know if it would pass B) have some sort of JavaScript-based instant-feedback whether the password is "poor", "acceptable", or "strong", with the minimum that the site accepts being "acceptable"; the user instantly knows if the password will be accepted without having to refresh the page I think implementing "A" is much simpler than "B". Could we convert the phrase "min=24,24,11,8,7" into text that would be understandable to the average user of Savannah? > It is Javascript but it is only there to provide immediate feedback to > the user. Any real security must exist on the server. And so would > still work just fine if Javascfript is turned off or unavailable such > as in lynx, w3m, and so forth. Yes, I meant to suggest the JavaScript in addition to the server-side checks, as "instant feedback" to the user. It's just that the JavaScript, assuming it runs properly, should accept/reject the same passwords that the server would then accept/reject. Cheers, Jan
