This type of websites need to chill 😄

@Artemix why use salted password hashes? Better use my ms access database with my visual basic backend.

@Artemix asking the real questions

@Artemix Or, even better, csv file with 777 permission on webroot

On a more serious note though, what do you think is a good way to assess passwords' strength? I don't like it when you have to check for several construction rules and analyse the string 17 times, so my way is to compute the password's entropy and compare it against some established acceptable thresholds.

@zshulu that makes more sense, perhaps penalty if the password is standard lists?

@Charmgoggles yeah, that'd be a good idea

@zshulu bcrypt.

@vortexman100 hashing passwords is another topic; we were discussing ways to assess their strength, for instance on clientside.

@zshulu Sry, my brain must have timed out.

It would've been funnier if it returned an internal error...

@zshulu the rules set actually tells the user how to improve the password strength. Your method could only say "make it harder to guess" which non-techies do not understand

@Huuugo I agree

We could explain how users get powned, and tell them to never reuse passwords and tell them why password manager is great (or book whatever floats your goat).
Something like a extra info button that when clicked says:
"Why do I need a secure password? Account information is leaked everyday, hackers acquire millions of usernames and passwords and try them on all popular services. If you reuse those, hackers can get in your important life stuff. Choose unique and long passwords because the cracking methods used by hackers take longer for difficult passwords"

Complexity rules don't really add much entropy, so they're pretty irrelevant. Scrap 'em.

Basically the only thing that matters is password length. (Though 256 lowercase a's isn't very good either...)

I'd check for runs of the same char (n>2) and a sensible minimum password length... maybe 20 chars? and of course linking to xkcd's correct horse battery staple to explain why.

And yes, a note about the dangers of password reuse!

... apologies, I am exhausted and falling asleep 😦😪

That final password has two consecutive capital letters, ruining the ending :/

@Ashkin Sensible rules:

* Phrase must be longer than 20 chars.
* Advised, but not mandatory, to use special chars.
* Password can not literally be "correcthorsebatterystaple"

I usually let my password manager generate a large amount of random characters... Or come up with a long but easy to remember phrase which logically includes special chars on its own.

Stuff like

"Subway tickets cost €1.25 after 9:30 am"
"I can juggle 4 potatoes when I'm drunk"