dumb-password-rules VS zxcvbn

Here is a compilation of the best stuff: https://github.com/duffn/dumb-password-rules

Here are some really egregious examples but even the "must contain uppercase, lowercase, number and special character" rules are pretty bad. You don't add much additional security because people will just make the first character uppercase, and append 1, ! or whatever. Or worse you'll force them to write it down.

If you want actually useful password requirements, use zxcvbn.

A integrated password strength checker could be useful , maybe adding keepassxc algorithm (which is open source).

This. Or there is the original presentation for those who prefer a video.

It caps password strength at each character having 10 possible values. So a 8 character password is considered to be at most 108 possible values (about 24 bit) and is marked insecure. This is useless for me as I have lots of legacy randomly generated passwords from Keepass that have 56 bits of randomness (no way those can be brute forced) and these are all marked as very insecure, so I have no way in the report to identify actual insecure passwords. See eg https://github.com/dropbox/zxcvbn/issues/135

Maybe keep the same ui but use zxcvbn to calculate the password time to crack - https://github.com/dropbox/zxcvbn

Interestingly, in doing research on trying to find a tool that measure password strenght (I didn't find one that measured it quite as accurately as I would have liked), I found actual research (another useful link) behind the tool that bitwarden uses in their online password strengther checker, I didn't bother to read it yet, but I'm sure it will answer a lot of questions I'm asking about the maths behind the proposition that using a sequence of random words is better than using a sequence of random letters.

> E.g. postcriptaluminumengagement vs kug45l2wx

If there are 250,000 words, that is around 18 bits. So three randomly chosen words strung together give you around 54 bits. On the other hand, an alphanumeric character is around 6 bits, so 9 of them strung together is about 54 bits. So, assuming your dictionary was 250,000 words, both of the passwords you posted were about the same quality.

> Or are there also dictionaries that contain combos of words?!

Your software just concatenates words and other well known sequences (123, zxcvbn).

Check out the great password entropy checker called zxcvbn:

https://github.com/dropbox/zxcvbn

https://dropbox.tech/security/zxcvbn-realistic-password-stre...

https://www.bennish.net/password-strength-checker/

(Note: don't enter production passwords into random websites, needless to say...)

Zxcvbn is a password strength estimation library. I think that’s a database it uses to spot common or weak passwords.

I just found #290 which links to https://github.com/zxcvbn-ts/zxcvbn, which appears to be maintained!

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.