Enforce username /password case limits

[JaviTrek]

[megagreg72]

for passwords, requiring a certain format is generally considered harmful. https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ """ For example, many companies require that users include special characters, like a number, symbol, or uppercase letter, in their passwords to make them harder to decrypt.

Unfortunately, many users will add complexity to their password by simply capitalizing the first letter of their password or adding a “1” or “!” to the end. And while it technically does make a password more difficult to crack, most password-crackers worth their salt know users tend to follow these patterns and can use them to reduce the time needed to decrypt a stolen password.

Additionally, as password complexity increases, users tend to reuse passwords from account to account, increasing the risk that they could be the victim of a credential stuffing attack if one account is breached.

So instead of forcing users to create more complex passwords, ask them to create longer ones if you want to improve password security. """

[FunctionDJ]

@megagreg72 length is definitely better than enforcing specific characters, but to prevent similar issue of users just padding their password with aaaa, i think we should use a library to set a minimum password complexity. this should then be reflected in the browser as well. you commonly see a bar that grows and indicates if the password is bad (don't allow), decent, good or excellent.