I think we create a false sense of security with the new cool JS password strength checker. It only checks for mixed caps, length and punctuation. And it says "Password strength: High" (in green) when a "strong" password has been entered.

But since it is only testing for very limiting criteria, we can give the user a false sense of security that his password strength is high when in fact it CAN be very weak. For example "W3lc0m3!" is a password in the top 10 weak passwords I presume yet we call it "strong".

I think we need a small text here like "We think your password strength is [green]High[green] yet be sure not to use odd spelled dictionary words and do change your password regularity". (or so)

What is your stand?

Comments

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented

For example "W3lc0m3!" is a password in the top 10 weak passwords I presume yet we call it "strong".

Really? What .dict file has that in its top 10? Most ones I've found have things like 'admin', 'password', 'test123', username, etc.

But even with a dictionary-based cracker that supports permutations of dictionary words, it would still take quite awhile to arrive at that one, wouldn't it? Especially with the ! at the end. And a brute-force attack would take prohibitively long. Obviously, it's far less secure than O@&#O*U(D*S&F(S*&D(*S&D(, but MUCH better than 'welcome' and the user won't have to write it in a post-it note on his monitor. ;P

As far as security goes, I'm far more worried about the MD5 storage that Drupal uses for passwords, with the advent of rainbow tables which can now crack any MD5 password hash up to 6 characters, I think.

At any rate, though, I wouldn't oppose a patch that added a description of our algorithm to the password field, and noted that the safest passwords are not those based on dictionary words.

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
Version: 6.x-dev » 7.x-dev
Component: user.module » documentation

At any rate, though, I wouldn't oppose a patch that added a description of our algorithm to the password field, and noted that the safest passwords are not those based on dictionary words.

making this a documentation component issue for 7.x-dev.

lilou’s picture

lilou CreditAttribution: lilou commented
Title: False sense of security » False sense of security for password strength
Category: bug » task
jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Component: documentation » user.module
Issue tags: +ui-text

The documentation component is for API documentation. This would be a user interface text patch in the user module.

frob’s picture

frob
Primary language English
CreditAttribution: frob commented

This is a big problem. Making this system pluggable would be the best solution.

http://drupal.org/node/1023242 was just marked a duplicate of this issue. However, I think that the the title of that one is more explanatory. "password is not a "fair" password"