So now that I have a pretty good method to identify weak passwords, what should I do when an existing user attempts to log in to their account with a weak password?

Update: I've decided to go with the "Redirect to a password change form and force a password change before continuing" solution. Thanks for all the feedback!

And it's live:

@ayo what's the system?

if it's yours 1
if it's theirs 2

@_p_ Sorry, should have included more context. This is about login to a website ( in this case). I guess that counts as "theirs"? It's not like my systems are at risk when someone's account is taken over.

@ayo if you're hosting it it is yours

> It's not like my systems are at risk when someone's account is taken over.

I wouldn't be so sure

@ayo denying access can be very frustrating. I think the best way is to display a warning. And after that, it's up to the user to do Hat he have to do to be safe

@alexcleac Oh that's a good solution! Not sure how I missed that.

@alexcleac Depending on whether that request is mandatory, that would be "Deny login & reset pass" without the hassle of going through an email-based reset, or that would be a "Allow but display warning" with a password change form as part of the warning.

@ayo If you deny users to register using a weak password, existing users with a weak password should reset theirs. If they're just displayed a warning, I would also show a warning for existing users. But how are you going to do that? I assume the passwords aren't stored in plain text?

@trawzified Registration and password change will indeed disallow weak passwords. The only way to detect existing weak passwords is when the user logs in, no way to display a warning otherwise...

@ayo Right, just making sure. Personally, I'd make them change their password. Good for their own security too, most people reuse their password a lot so it better be a strong one.

@ayo You don't need to allow 500 characters: 128 is enough, or 256 at most. Even if those are just zeros and ones, it's as large space as a typical key for symmetric encryption (#AES).
Just make sure you aren't restricting the language in a stupid way like the "at least one" bullshit.
OTOH, setting up a minimum length of say 12 characters does make sense.

Sign in to participate in the conversation

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !