Hi Madhava, I'm not keen on password strength estimators. Two reasons:
1) It's not clear how they should work. There's a lot of debate of what qualifies as a "strong password". and many strength estimators often do silly things like say "password0" is weak but "password9" is strong. 2) They add UX noise for unknown benefit. Plus a believer that if a user really wants a weak password for whatever reason [1], we shouldn't shame them with a big red indicator or frowny face. There are some things I think we should do: 1) Require a minimum length (8 char?) 2) Provide guidance for users who would like to know how to choose a stronger password 3) Throttle bad password guesses Another interesting idea is to disallow users from using passwords on a "naughty list", e.g., a list of the X hundred or thousand most common passwords. This combined with throttling can be quite effective. -chris [1] hey, how often do you sign up for a service you don't care about much or just wanna try out and give it some garbage password? _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
