Improve new password requirements
Current behavior
Since !974 (merged), We ask for new passwords to respect all these requirements, according to the Matrix spec:
- contain a lower-case letter,
- contain an upper-case letter,
- contain a number,
- contain a symbol,
- be at a minimum 8 characters in length.
Issue
In this comment:
@bertob said:
Personally I'm not a huge fan of enforcing password strength rules other than length, IIRC there's some literature about how this actually ends up encouraging password reuse. I think warning people makes sense, but not sure about making it a hard requirement.
We are limited on how to change that. The behavior of the homeservers is that they can enforce password rules, and reply with an M_WEAK_PASSWORD
error with a message explaining what requirement was not met. This message cannot be shown directly to the user because it is not localized.
The rules above are the default rules that can be enabled in a Synapse homeserver's config so enforcing that should prevent the following error from happening, although no guarantee is given.
Possible solutions
- MSC2000 proposes to create a new endpoint to get the password requirements of the homeserver in a machine-readable format.
-
MSC2957, MSC3262, MSC3726 propose that the password should not be transmitted to the server, so the server shouldn't do any validation. MSC3265 has a similar idea but since it relies on the current behavior, we might get an
M_WEAK_PASSWORD
error if the rules are too strict. - MSC2964 proposes to use OpenID Connect to handle the credentials. That would mean that, like with SSO, we are not ever in contact with the password so this issue is avoided.
Note: It seems like Element Web is using the zxcvbn library to judge the complexity of a password.
CC: @bertob