Hi we’ve been looking at this add-on (https://vaadin.com/directory/component/zxcvbn/overview).
Out of the box the strength algorithm is good for some users but not others. We deal with customers in the school market, so we’d broadly have 3 requirements:
- Admins: require strong passwords (eg upper + lowercase + numbers + symbols) - zxcvbn is great for this.
- Senior students: good passwords (eg case-insensitive letters + numbers).
- Junior students: weak passwords (eg just 4-digit PIN).
So when someone is setting their password, we’d want to ‘normalise’ the strength meter based on what strength is required for the age or group that user is in (which we know within our system). So for example when a young child enters “1”, we display 1-bar red, “678” we display 2-bar orange, for “2947” we show 4-bar green. Or something like that.
It looks like this add-on is not configurable for this sort of use. But if we could tell it to base the strength meter on ‘crack time’ instead of ‘strength’, we’d get more granularity. And if we could then set the strength meter to cover the range from (0 - min-crack-time), this’d be ideal for us.
BTW, our login system already locks out users after X failed attempts, so real-world crack time would exceed what zxcvbn estimates.
Ideas?