While many admins and blog posts tell users that length is by far the most important factor in creating strong passwords/passphrases, the majority of password input fields are giving them a set of hide-bound rules: Eight characters, at least one upper- and one lowercase letter, some digits and punctuation marks, etc.
Even though it includes dictionary words, a passphrase like:
Sgt. Pepper's Mr. Kite
is far stronger than:
js72(.Tb8
(there’s a world of difference between 22 characters and 9, from a cracking perspective). But many password input fields would reject the first one. No wonder users are confused by the process of creating strong passwords!
Continue reading “Sane Password Strength Validation for Django with zxcvbn”