As a user, when I’m creating or changing my password I want a visual cue that tells me about the complexity or quality of my password. (Weak, Good, Strong)
To test this enable the “Enable password strength check” under host settings, and then register a new user. When you access the password and password confirmation boxes, as you type a visual indication of the strength of the password will show.
Note: this is an alert only, a user may still choose a “weak” password as strength meters use relatively simple rules. In our case we are sourcing the 2 parameters used to judge strength from the minRequiredPasswordLength and minRequiredNonalphanumericCharacters values in web.config (you will want to alter these to test that different values return different strength warnings)
The password strength meter has 6 rules, each of which score one point
- Meets minimum password length
- Meets minimum number of “special” characters e.g. [email protected]#$ etc.
- Contains a capital letter
- Contains a lowercase letter
- Contains a number
- Password length is 3 or more characters longer than the minimum length
Note: only the first two are requirements for a valid password, the others simply show that the user is using a “better” password. By encouraging user's to use a better password, it decreases the likelihood that other users will guess their password, or that a hacker can crack the password by generating hashes to attack a compromised site using Hashed passwords