On 16/11/16 10:14, mathieu stumpf guntz wrote:
By the way, it seems that the password change form
doesn't provide
feedback on password strength. Also a link to resource to learn how to
chose strong password, like this
<https://en.wikibooks.org/wiki/Information_Security_in_Education/Authentication#Username.2FPassword_Combinations_for_Identification_.26_Authentication>,
that
<https://en.wikibooks.org/wiki/The_Computer_Revolution/Security/Passwords>,
or something else
<https://en.wikibooks.org/wiki/Using_Wikibooks/Setting_Up_A_User_Account#Choosing_a_Good_Password>.
Safely,
mathieu
I would be good to run a password strength checker at login time as
well, as the software should, for a brief moment, have a copy of the
plaintext password that can be scanned, before it hashes it for checking
and forgets the plaintext.
Users with weak passwords, or passwords which are on an existing crack
list, can then be warned at login time that they have a weak password,
and prompted to change it.
Neil