[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] password must be more complicated

From: Jan Owoc
Subject: Re: [Savannah-users] password must be more complicated
Date: Mon, 13 May 2013 17:19:53 -0600

On Mon, May 13, 2013 at 4:06 PM, Bob Proulx <address@hidden> wrote:
> Jan Owoc wrote:
>> I've seen a handful of websites offering a JavaScript-based password
>> quality checker. The website states something like "you must have a
>> quality of 40 for me to accept the password", and then the user types
>> characters, numbers, symbols, etc., until the quality meter hits at
>> least 40 (of 100). I sometimes dislike that a clever password I've
>> invented only gets 38, but I get instant feedback, rather than waiting
>> for the page to reload.
>> [1]
> That is pretty cute.  I don't like the deductions section where it
> deducts points for repeated letters so much because I think it belies
> the understanding that random values will have clusters.  But of
> course that could be adjusted.  (Think of flipping a coin.  If you
> could never repeat the previous value then obviously it won't be a
> very random series.  Same concept here.)

I didn't mean to say that this (randomly found) password checker is
perfect. Until this thread surfaced, I didn't know that a program like
pwqcheck existed, let alone what the phrase "pwqcheck options are:
'match=0 max=256 min=24,24,11,8,7' " meant. I wanted to point out that
a large portion of websites that require users to generate passwords

A) have rules written out in human-readable form on what is an
acceptable password (eg. have all 4 of these character classes AND be
7 characters long, or have 3 of 3 character classes AND be 8
characters long, or be at least 24 characters long); the user can then
count the characters in the password they've invented or generated,
and know if it would pass

B) have some sort of JavaScript-based instant-feedback whether the
password is "poor", "acceptable", or "strong", with the minimum that
the site accepts being "acceptable"; the user instantly knows if the
password will be accepted without having to refresh the page

I think implementing "A" is much simpler than "B". Could we convert
the phrase "min=24,24,11,8,7" into text that would be understandable
to the average user of Savannah?

> It is Javascript but it is only there to provide immediate feedback to
> the user.  Any real security must exist on the server.  And so would
> still work just fine if Javascfript is turned off or unavailable such
> as in lynx, w3m, and so forth.

Yes, I meant to suggest the JavaScript in addition to the server-side
checks, as "instant feedback" to the user. It's just that the
JavaScript, assuming it runs properly, should accept/reject the same
passwords that the server would then accept/reject.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]