So now that I have a pretty good method to identify weak passwords, what should I do when an existing user attempts to log in to their account with a weak password?
Update: I've decided to go with the "Redirect to a password change form and force a password change before continuing" solution. Thanks for all the feedback!
And it's live: https://vndb.org/t12339
@ayo what's the system?
if it's yours 1
if it's theirs 2
@_p_ Sorry, should have included more context. This is about login to a website (VNDB.org in this case). I guess that counts as "theirs"? It's not like my systems are at risk when someone's account is taken over.
@ayo if you're hosting it it is yours
> It's not like my systems are at risk when someone's account is taken over.
I wouldn't be so sure
@ayo denying access can be very frustrating. I think the best way is to display a warning. And after that, it's up to the user to do Hat he have to do to be safe
@ayo allow to login but request to change password
@alexcleac Oh that's a good solution! Not sure how I missed that.
@alexcleac Depending on whether that request is mandatory, that would be "Deny login & reset pass" without the hassle of going through an email-based reset, or that would be a "Allow but display warning" with a password change form as part of the warning.
@ayo If you deny users to register using a weak password, existing users with a weak password should reset theirs. If they're just displayed a warning, I would also show a warning for existing users. But how are you going to do that? I assume the passwords aren't stored in plain text?
@trawzified Registration and password change will indeed disallow weak passwords. The only way to detect existing weak passwords is when the user logs in, no way to display a warning otherwise...
@ayo Right, just making sure. Personally, I'd make them change their password. Good for their own security too, most people reuse their password a lot so it better be a strong one.
@ayo You don't need to allow 500 characters: 128 is enough, or 256 at most. Even if those are just zeros and ones, it's as large space as a typical key for symmetric encryption (#AES).
Just make sure you aren't restricting the language in a stupid way like the "at least one" bullshit.
OTOH, setting up a minimum length of say 12 characters does make sense.
Welcome to your niu world ! We are a cute and loving international community Ｏ(≧▽≦)Ｏ !