It would be nice to have a "generate me a strong password" button with localizable requirements.
|Open||None||T121186 Implement results of enwiki Security review RfC|
|Open||None||T32574 Display a password strength bar|
|Open||None||T151011 Add password generator to account creation / password change form|
There are two types of good password generation:
- A medium-length string of random uppercase/lowercase/numbers (say 12 or 16 characters), with easily confusable characters removed from the pool.
- A long human-readable text of space-separated random dictionary words (probably 5 or 6 words), e.g. diceware.
I'm not sure the first is worth doing as the only sane way to use such passwords is a password manager and that can generate random passwords just fine. (Maybe there are less technical users who have problems with password managers and just write the passwords down, but those are better served by diceware style passwords anyway since words are easier to type.) OTOH it is very trivial to implement.
The second is good for people who need to memorize the password for some reason, or need to type it in often (ie. often log in on foreign machines). The best library I have seen for it is grempe/diceware (test page), which has support for ~20 languages (of course it would be fairly trivial to add more). Word lists are around 100K which is a bit large but they don't exactly make an effort to reduce the size, which could be done pretty easily.
My feeling about this is adding password generation into the authentication flow is a pretty new concept and while there may be some security benefit there are a lot of unknowns here and some potential abuse. Maybe a compromise is the addition of a link to security awareness content during the account creation/passwd change flow and the inclusion of a strength meter?