Improve required password strength #501
Labels
Comments
|
I think a minimum length is good. A maximum length of 128 is necessary to ensure proper data persistence. I think we should not implement any other requirement and leave that to the user. |
|
Maybe you can use the HaveIBeenPwnd.com API to show people that their password has been in a data breach. But I'm not sure if that is possible... |
|
@svenpopping Yea sounds cool and its probably possible, but I think it's kind of out of scope and I don't think that we should depend on an external API for the password |
|
Could use Dropbox's password checker: https://github.com/dropbox/zxcvbn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the password strength control is very poor (e.g. passwords with a single character are allowed). We should improve the required password strength to protect the users from being compromised (either manually or by automated means).
OWASP has a great guideline that we could follow.
The text was updated successfully, but these errors were encountered: