Comments (5)
Complexity is not a metric we should measure. That is part of the problem with the way most of us (including me at one time) used to think about password security.
The fact is...
Complexity != Security
So we should measure for security not complexity, and anything under 10 chars (depending on slowness of the algorithm) is inherently insecure.
I think we should also check against leaked password lists if we want to be more proactive. But "composition rules" need to go, and short passwords do too.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
from core.
Looks like exactly what we need thanks!
from core.
Hi Bryan
Thanks for the pull request.
Entering passphrase on mobile is a pain. Shorter passphrase with a greater complexity is advantageous in this setting. But I agree it makes it more likely that users will forget their passphrase, and also more likely users will pick short passphrase they merely think are complex when they aren't.
Rather than remove the other rules and replace them with a minimum 10 char length, it might be better to come up with an algorithm to test complexity (or find an existing one that isn't too heavy weight). Then according to that algorithm we will let them set the requested passphrase or not. So a short passphrase with high complexity would pass, as would a long phrase with low complexity, but a short passphrase with low complexity would fail.
Interested to see what you come up with!
from core.
Sorry let me clarify: when I say complexity I actually mean entropy per character taking into account password lists and common brute force techniques. This is what I think we should measure.
from core.
Sounds like we're on the same page.
Have you considered zxcvbn?
https://github.com/dropbox/zxcvbn
from core.
Related Issues (20)
- Linux build? HOT 1
- running in web server documentation? HOT 1
- Account not activated after restore HOT 1
- Copy button does Not work...
- Deeplinks die at pin entry screen HOT 2
- navigator.connection.type == 'Connection.NONE' HOT 1
- Feature request - Allow restore of Ripple wallet using HEX private key from wallet apps using BIP44. HOT 2
- Harfbuzz version too old (1.3.1) HOT 8
- PIN keyboard partially disappears while entering code HOT 6
- Feature Request/ Inquiry - Android Intent to load with receivers address HOT 3
- Backup code toast wallet, XRP
- Backup code on toast wallet, XRP HOT 1
- Unfunded Error Despite Retaining 20 XRP
- Issues with Recovery Phrase HOT 1
- The phone on which toast wallet was installed is broken
- XRP wallet now says not activated
- Error msg when sending XRP from Toast to Kraken. HOT 3
- My wallet is gone after update can’t restore I have wallet address HOT 2
- Funds freeze in Toast Wallet HOT 1
- ToastWallet send 9 XRP to YOUR Wallet HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from core.