On 16/11/16 10:14, mathieu stumpf guntz wrote:
By the way, it seems that the password change form doesn't provide feedback on password strength. Also a link to resource to learn how to chose strong password, like this https://en.wikibooks.org/wiki/Information_Security_in_Education/Authentication#Username.2FPassword_Combinations_for_Identification_.26_Authentication, that https://en.wikibooks.org/wiki/The_Computer_Revolution/Security/Passwords, or something else https://en.wikibooks.org/wiki/Using_Wikibooks/Setting_Up_A_User_Account#Choosing_a_Good_Password.
Safely, mathieu
I would be good to run a password strength checker at login time as well, as the software should, for a brief moment, have a copy of the plaintext password that can be scanned, before it hashes it for checking and forgets the plaintext.
Users with weak passwords, or passwords which are on an existing crack list, can then be warned at login time that they have a weak password, and prompted to change it.
Neil