On 16/11/16 10:14, mathieu stumpf guntz wrote:
By the way, it seems that the password change
form doesn't provide
feedback on password strength. Also a link to resource to learn how
to chose strong password, like this
<https://en.wikibooks.org/wiki/Information_Security_in_Education/Authentication#Username.2FPassword_Combinations_for_Identification_.26_Authentication>,
that
<https://en.wikibooks.org/wiki/The_Computer_Revolution/Security/Passwords>,
or something else
<https://en.wikibooks.org/wiki/Using_Wikibooks/Setting_Up_A_User_Account#Choosing_a_Good_Password>.
Safely,
mathieu
I would be good to run a password strength checker at login time as
well, as the software should, for a brief moment, have a copy of the
plaintext password that can be scanned, before it hashes it for
checking and forgets the plaintext.
Users with weak passwords, or passwords which are on an existing crack
list, can then be warned at login time that they have a weak password,
and prompted to change it.
Neil
Another idea might be to for the software to offer to create a random
password for users at account creation time, and also to make the same
offer at password change time.
For example, even using automatically generated simple-looking and
reasonably simple passwords like "little-center-ground-finger"
consisting of 4 words between 5 and 8 characters long, will give an
effective per-password entropy of 62 bits, significantly better than
most user-generated passwords.
Neil