Jan Owoc wrote: > Bob Proulx wrote: > > Jan Owoc wrote: > >> [1] http://www.passwordmeter.com/ > > That is pretty cute. I don't like the deductions section where it > > I didn't mean to say that this (randomly found) password checker is > perfect.
No I was serious that I liked it. I didn't think it was perfect either. But it is pretty nicely done and could be adapted to be perfect. I thought it was perfect that you suggested it. > Until this thread surfaced, I didn't know that a program like > pwqcheck existed, Me neither. But with seven billion people on the planet and a very large number of them creating new things I am often seeing new things for the first time. It keeps things interesting. :-) > let alone what the phrase "pwqcheck options are: > 'match=0 max=256 min=24,24,11,8,7' " meant. Yes. That is a little obscure. I was personally happy to see it on the web site because then I could go look it up. On a site catering to technical people like Savannah I think that is quite nice. However I know that for non-technical people that would be intimidating. > I wanted to point out that a large portion of websites that require > users to generate passwords either: > > A) have rules written out in human-readable form on what is an > acceptable password (eg. have all 4 of these character classes AND > be 7 characters long, or have 3 of 3 character classes AND be 8 > characters long, or be at least 24 characters long); the user can > then count the characters in the password they've invented or > generated, and know if it would pass > > B) have some sort of JavaScript-based instant-feedback whether the > password is "poor", "acceptable", or "strong", with the minimum that > the site accepts being "acceptable"; the user instantly knows if the > password will be accepted without having to refresh the page And C) where the user is given no information at all. :-( > I think implementing "A" is much simpler than "B". Could we convert > the phrase "min=24,24,11,8,7" into text that would be understandable > to the average user of Savannah? Good idea. I would suggest something but I lack the time at the moment. > > It is Javascript but it is only there to provide immediate feedback to > > the user. Any real security must exist on the server. And so would > > still work just fine if Javascfript is turned off or unavailable such > > as in lynx, w3m, and so forth. > > Yes, I meant to suggest the JavaScript in addition to the server-side > checks, as "instant feedback" to the user. It's just that the > JavaScript, assuming it runs properly, should accept/reject the same > passwords that the server would then accept/reject. Sorry. I was simply voicing the analysis out loud and agreeing with you as to the benefit of it. I didn't mean to imply that I was negatively critical of it. By way of thought processes I am a big believer in "progressive enhancement" over "graceful degradation". And I am sensitive to it because so many sites go the opposite direction and are therefore harder to use. So whenever I see a Javascript component I am always analyzing it in those ways. Bob
