Ask HN: How to do password strength checking in 2020?

3 pointsmooseburger5y ago0 comments

What should I be doing when I can't force users to use a password manager?

So I understand you shouldn't be using hard rules, like including numbers, special symbols, and mixing upper and lowercase characters, as you can have a very weak password that passes those rules, or a very strong password entirely in lowercase. Nevertheless, one does need some sort of password validation to prevent technologically non-savvy users from entering trivially crackable passwords.

I've used dropbox's zxcvbn, but that is no longer maintained, and the ports to other languages are not reliable in my experience.

Is the have i been pwned API (https://haveibeenpwned.com/API/v3) the state-of-the-art?

0 comments

No comments yet.

Ask HN: How to do password strength checking in 2020?

3 pointsmooseburger5y ago0 comments

What should I be doing when I can't force users to use a password manager?

I've used dropbox's zxcvbn, but that is no longer maintained, and the ports to other languages are not reliable in my experience.

Is the have i been pwned API (https://haveibeenpwned.com/API/v3) the state-of-the-art?