Indicate what minimum strength is required in password widget

Your proposal seems OK. I think it would be better as "The required minimum strength is strong." Moving the word required up front will help people see that it is important text and highlighting the most important word should help them get the summary of the info.

I could also imagine having 2 horizontal bars:

[*** ] - your score
[******* ] - required score

I have a little proposal that started from trying to solve this issue but it expanded a bit.

So currently the horizontal bar indicating the strength of the password is scaled from very weak to very strong in case no strength requirement is set, however when the requirement is set, the maximum of the bar is the required strength. I think this is a bit confusing, and users won't want to have better a better password set than the required as good would show the full green bar if the required strength is not set to very strong.

My proposal:

• The bar should always be scaled from very weak to very strong.
• The currently unused message_requirements field could show the required password strength if set. The according CSS is a bit weird because of the added border to p elements. What was it used for? Or is it still used?
• The password not reaching the required strength should be in the list of flaws.

I think you're right that the required password strength should be visible after starting to enter a password so the user can understand the strength rating in accordance to the requirement.

Are you suggesting that the length of the bar also reflect the strength? Right now the length is either 0%, 50% or 100%, and the color adds additional acceptance suggestion, going from red to yellow to green, and finally with a check mark on highest strength.

In hindsight relying on color communication is not universally accessible, but communicating the 0-4 range in bar length alone doesn't feel sufficient as is. The input field is short so 20% increment changes may not be noticeable.

Right now the length is either 0%, 50% or 100%

That is true with the required strength set to good.
If you set it to strong you will see 0%, 33%, 67%, 100%.
If you set it to disabled or very strong you will see 0%, 25%, 50%, 75%, 100%.
So currently 100% is always the required strength, or if it's not set then it's very strong.

My suggestion is to use only the last scale, so users will know that their password can get better than good for example. It's a kind of a motivation to target the best possible strength.

I think the 25% changes with the colors also changing and the "Password strength: ..." text changing is fairly noticeable.

Ah, you're right, I forgot that the bar does advance in stages matching what the required strength is. Yes, I think the last scale is appropriate along with including the required strength level before submitting the form.

Here's a patch for my proposal with a screenshot.
If this is the preferred UX I'll update the issue summary.

Now if the strength requirement is disabled it won't show that Very Weak is the requirement.

I removed the part that is not relevant to this issue (the scale of the bar). Will open a separate issue for that soon.

+++ b/password_strength.module
@@ -453,6 +462,30 @@ function password_strength_get_message_strength($strength) {
+            . '<span class="value text-score-' . $strength['score_required']

With this class it means the check mark appears, which for me on Chrome overlaps with the text before it. You could use a different class that has green font color but no background image.

Also, the meter is appearing at the top of the settings page test widget for me in Chrome OSX. @banviktor do you get that?

Oh right sorry. Didn't try Very Strong as a requirement... it does have that background image.

Also, the meter is appearing at the top of the settings page test widget for me in Chrome OSX. @banviktor do you get that?

Yes. Sadly that's not the effect of the patch so will have to dig to find out what's causing it. This will need a third issue.

No background image for Very Strong in the requirements.

Yeah, the meter appearing on top can be handled separately. Patch in #16 looks really good, just one remaining discussion issue.

I think the original idea of the check mark was that it signified that the entered password is acceptable and meets the requirement. Now the requirement is communicated in text matches color and the check mark only appears for Very Strong, which is a different meaning. This new meaning is OK with me since we want users to have very strong passwords, but worth discussing.

I think it makes more sense to have the check mark appear if the password meets the requirement. That's what check marks are for usually.

This modification would solve my css problem too (that workaround in #16 wasn't the cleanest). The check mark background could be a separate class this way.

So +1 for the old meaning. Separate issue or can I do it here (if that is the preferred UX)?

Sounds good, let's keep it in this issue. Setting to needs work.

Check mark is now shown if strength reaches the required score. Looks a bit weird though when set to 'disabled' (green check mark with a red Very Weak message).

@banviktor could you make it so the check mark only appears if there's a required strength level set (e.g. not disabled)?

Here it is.

Thank you @banviktor! Committed to 7.x and marking this issue for backport.

I assume that the 6.x branch is no longer maintained.

As a 7.x issue it's fixed, so moving there to track it was fixed.