This one is a little better than average, though, :) https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
-chris On Jan 8, 2014, at 3:51 PM, Chris Karlof <[email protected]> wrote: > Hi Madhava, > > I'm not keen on password strength estimators. Two reasons: > > 1) It's not clear how they should work. There's a lot of debate of what > qualifies as a "strong password". and many strength estimators often do silly > things like say "password0" is weak but "password9" is strong. > 2) They add UX noise for unknown benefit. Plus a believer that if a user > really wants a weak password for whatever reason [1], we shouldn't shame them > with a big red indicator or frowny face. > > There are some things I think we should do: > 1) Require a minimum length (8 char?) > 2) Provide guidance for users who would like to know how to choose a stronger > password > 3) Throttle bad password guesses > > Another interesting idea is to disallow users from using passwords on a > "naughty list", e.g., a list of the X hundred or thousand most common > passwords. This combined with throttling can be quite effective. > > -chris > > [1] hey, how often do you sign up for a service you don't care about much or > just wanna try out and give it some garbage password? > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
