Solved: Minimum Password Strength - Definition?
Does anyone know what the actual breakdown is of these settings?
This doesn't help. I need to know what the meanings are.
For example, 0, does it mean anything, just letters or numbers?
Does 1 mean a combination of x letters plus x numbers?
Etc. I need to know this because I need to match these settings to another app we have so we can sync users/passwords.
0 # too guessable: risky password. (guesses < 10^3)
1 # very guessable: protection from throttled online attacks. (guesses < 10^6)
2 # somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
3 # safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
4 # very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
@nodeham I understood what you were asking, but to be honest zxcvbn was implemented by us quite a long time ago, and I no longer remember what the specifics are.
However, I can almost guarantee it is nothing as simple as requiring symbols and letters. zxcvbn has its own heuristics for determining password guessability, including such metrics like "closeness" to other simple passwords, or how quickly a computer may brute force guess it (given some assumptions).
So I don't think there's a direct comparison between what we have and what you want