Do think we can fit this in? It looks pretty great. On Jan 9, 2014, at 3:00 PM, Chris Karlof <[email protected]> wrote:
> This one is a little better than average, though, :) > > https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ > > -chris > > > On Jan 8, 2014, at 3:51 PM, Chris Karlof <[email protected]> wrote: > >> Hi Madhava, >> >> I'm not keen on password strength estimators. Two reasons: >> >> 1) It's not clear how they should work. There's a lot of debate of what >> qualifies as a "strong password". and many strength estimators often do >> silly things like say "password0" is weak but "password9" is strong. >> 2) They add UX noise for unknown benefit. Plus a believer that if a user >> really wants a weak password for whatever reason [1], we shouldn't shame >> them with a big red indicator or frowny face. >> >> There are some things I think we should do: >> 1) Require a minimum length (8 char?) >> 2) Provide guidance for users who would like to know how to choose a >> stronger password >> 3) Throttle bad password guesses >> >> Another interesting idea is to disallow users from using passwords on a >> "naughty list", e.g., a list of the X hundred or thousand most common >> passwords. This combined with throttling can be quite effective. >> >> -chris >> >> [1] hey, how often do you sign up for a service you don't care about much or >> just wanna try out and give it some garbage password? >> >> _______________________________________________ >> Dev-fxacct mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/dev-fxacct > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct Ryan Feeley Product Designer, Identity Mozilla UX IRC: rfeeley
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
