self-service-password icon indicating copy to clipboard operation
self-service-password copied to clipboard

Published 20 hours ago verified publisher icon ltb-project

Password Strength Meter

Open bobpaul opened this issue 7 years ago • 3 comments

I would like to see some indication of password strength estimation added so that when users are changing their passwords they can be told if their password is terrible.

There's several examples of how this might look. Dropbox puts small vertical column of dots on the right edge of the textbox. 1 dot is bad, but a stack of 4 dots is strong. Image.

Google has the text "Password Strength:" which is followed by words like "Too Short", "Strong", etc.

I've found Dropbox has a GPL'd library (zxcvbn) which outputs a score from 0 to 4 (as well as other information). This could be used to update a password strength meter as users are typing. A variable in config.inc.php could reject passwords that are too weak.

bobpaul avatar Mar 19 '18 23:03 bobpaul

I am working on this on my dev branch mainly to avoid frustrating users. It can be really frustrating for users to enter a password thinking it is a good one and have the server rejecting it, multiple times.

I implemented only the server side of zxcvbn for now. Required score is configurable in config. Default at 3. Later I will add an optional js implementation to provide the meter and as you type strength & policy checks, I intend to display the result with the list of violated constraints from the server. (In SSP 1.2 only one violation is returned by server at a time. On my branch all violations are displayed including a recycled message "Your password is not strong enough" if it does not pass zxcvbn )

Note: js zxcvbn and php zxcvbn do not always provide the same results. IIRC because they have different dictionnaries and maybe the latest js is not ported.

plewin avatar Mar 19 '18 23:03 plewin

Oh! That's great to hear.

I just pushed a rough implementation to my fork; has both server and client side, but I didn't use php-zxcvbn and I didn't make anything configurable.

bobpaul avatar Mar 20 '18 04:03 bobpaul

Here how it looks on my dev branch with all the currently supported rules : It is just for the demo, I won't recommend using other rules than the zxcvbn strength score

capture

I also want to display the strength level strong/weak next to the hide/show password button but that is not implemented yet.

plewin avatar Jun 04 '18 18:06 plewin

Has been done by @davidcoutadeur for 1.6

coudot avatar Apr 26 '24 15:04 coudot