Password strength checking with zxcvbn
Over the years there has been some desire for us to implement password complexity requirements but, fundamentally, they do not tend to work. They serve as an incredibly frustrating experience and when combined with automatic password expiry it just leads to using the same password over and over with a different number on the end
In an ideal world, people would all be using password managers such as 1Password or LastPass, but in reality people are still picking (frankly) rubbish passwords in order to make them easier to remember. You might be familiar with the following comic:
More than anything, simply educating users is the best approach. Most people genuinely have no idea what constitutes a good or strong password, and often they do not think about it.
The above comic pretty much inspired Dropbox to take on the challenge of coming up with a better way of estimating password complexity, and they came up with
zxcvbn which we have now implemented in XF 2.1. Whenever a user is faced with an option to choose a new password, they will see this:
As well as a visual indication of the password strength, it also provides a description of why the password you have chosen isn't great:
All in the hope that, one day, they will see sense and use something strong, but easy to remember, like my favourite password: