Ask HN: How to do password strength checking in 2020?
What should I be doing when I can't force users to use a password manager?
So I understand you shouldn't be using hard rules, like including numbers, special symbols, and mixing upper and lowercase characters, as you can have a very weak password that passes those rules, or a very strong password entirely in lowercase. Nevertheless, one does need some sort of password validation to prevent technologically non-savvy users from entering trivially crackable passwords.
I've used dropbox's zxcvbn, but that is no longer maintained, and the ports to other languages are not reliable in my experience.
Is the have i been pwned API (https://haveibeenpwned.com/API/v3) the state-of-the-art?
No comments yet.