Currently when configuring the password strength constraint, the "Password Strength Minimum Score" doesn't say a lot about what these scores actually mean. (Perhaps security-oriented Drupal devs know already, but I've been using Drupal for 10+ years and only have a vague idea of these and that "stronger is better" for my personal password.)
Could we consider documenting what each level corresponds to in terms of one or more of:
a) what's allowed/not allowed
b) how secure the password is when subject to brute-force attacks
c) some other metric
Ideally I think it would be helpful to have this as part of the help text when configuring that constraint, but I don't know if #2598714: Ability to alter AJAX constraints UI text in Password Policy might make that difficult. If it is, it'd be great to at least document these in the README and/or on the project page.
Comments
Comment #2
rootworkI found the password strength code in
core/modules/user/user.js
.I don't see any documentation on d.o about these password strengths. So maybe this is outside the scope of this module, although this module does surface these strength ratings more substantially, at least to site admins.
Here's the relevant section of
user.js
:Comment #3
Phil Wolstenholme CreditAttribution: Phil Wolstenholme as a volunteer commented@rootwork posted the Drupal core password strength code, but this module does not use that code.
This module's project page mentions that it uses https://github.com/bjeavons/zxcvbn-php which is a PHP library that estimates password strength beyond just 'does it have X number of characters, X number of uppercase characters, and X number of characters in total'.
You can see a short summary on https://github.com/bjeavons/zxcvbn-php:
And there is a longer summary on https://github.com/dropbox/zxcvbn:
It's quite hard to document how the score is calculated as the library does so much! Perhaps this info may be useful, it does at least give the scores some context: