On 16/11/16 13:56, Neil Harris wrote:
On 16/11/16 10:14, mathieu stumpf guntz wrote:
By the way, it seems that the password change form doesn't provide feedback on password strength. Also a link to resource to learn how to chose strong password, like this https://en.wikibooks.org/wiki/Information_Security_in_Education/Authentication#Username.2FPassword_Combinations_for_Identification_.26_Authentication, that https://en.wikibooks.org/wiki/The_Computer_Revolution/Security/Passwords, or something else https://en.wikibooks.org/wiki/Using_Wikibooks/Setting_Up_A_User_Account#Choosing_a_Good_Password.
Safely, mathieu
I would be good to run a password strength checker at login time as well, as the software should, for a brief moment, have a copy of the plaintext password that can be scanned, before it hashes it for checking and forgets the plaintext.
Users with weak passwords, or passwords which are on an existing crack list, can then be warned at login time that they have a weak password, and prompted to change it.
Neil
Another idea might be to for the software to offer to create a random password for users at account creation time, and also to make the same offer at password change time.
For example, even using automatically generated simple-looking and reasonably simple passwords like "little-center-ground-finger" consisting of 4 words between 5 and 8 characters long, will give an effective per-password entropy of 62 bits, significantly better than most user-generated passwords.
Neil