Propose removing arbitrary password rules. about core HOT 5 OPEN

Complexity is not a metric we should measure. That is part of the problem with the way most of us (including me at one time) used to think about password security.

The fact is...

Complexity != Security

So we should measure for security not complexity, and anything under 10 chars (depending on slowness of the algorithm) is inherently insecure.

I think we should also check against leaked password lists if we want to be more proactive. But "composition rules" need to go, and short passwords do too.

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

from core.

Looks like exactly what we need thanks!

from core.

Hi Bryan

Thanks for the pull request.

Entering passphrase on mobile is a pain. Shorter passphrase with a greater complexity is advantageous in this setting. But I agree it makes it more likely that users will forget their passphrase, and also more likely users will pick short passphrase they merely think are complex when they aren't.

Rather than remove the other rules and replace them with a minimum 10 char length, it might be better to come up with an algorithm to test complexity (or find an existing one that isn't too heavy weight). Then according to that algorithm we will let them set the requested passphrase or not. So a short passphrase with high complexity would pass, as would a long phrase with low complexity, but a short passphrase with low complexity would fail.

Interested to see what you come up with!

from core.

Sorry let me clarify: when I say complexity I actually mean entropy per character taking into account password lists and common brute force techniques. This is what I think we should measure.

from core.

Sounds like we're on the same page.

Have you considered zxcvbn?

https://github.com/dropbox/zxcvbn

from core.