So now that I have a pretty good method to identify weak passwords, what should I do when an existing user attempts to log in to their account with a weak password?


Update: I've decided to go with the "Redirect to a password change form and force a password change before continuing" solution. Thanks for all the feedback!

And it's live:

@ayo You don't need to allow 500 characters: 128 is enough, or 256 at most. Even if those are just zeros and ones, it's as large space as a typical key for symmetric encryption (#AES).
Just make sure you aren't restricting the language in a stupid way like the "at least one" bullshit.
OTOH, setting up a minimum length of say 12 characters does make sense.

Sign in to participate in the conversation

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !