Solved: Minimum Password Strength - Definition?

NodeHam

Does anyone know what the actual breakdown is of these settings?
This doesn't help. I need to know what the meanings are.

For example, 0, does it mean anything, just letters or numbers?
Does 1 mean a combination of x letters plus x numbers?
Etc. I need to know this because I need to match these settings to another app we have so we can sync users/passwords.

0 # too guessable: risky password. (guesses < 10^3)
1 # very guessable: protection from throttled online attacks. (guesses < 10^6)
2 # somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
3 # safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
4 # very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

julian

@nodeham these password strengths are inherited from the zxcvbn package, which we use to determine password strength:

https://github.com/dropbox/zxcvbn

NodeHam

@julian Thank you. I will look into that.

NodeHam

We didn't find much in there but maybe I didn't explain myself correctly. I'm trying to find out what each level's requirement is in terms of characters that make up a password.

Minimum Password Strength
1- Edoardo
2-Edoardo1$
3-Edoardi1$

julian

@nodeham I understood what you were asking, but to be honest zxcvbn was implemented by us quite a long time ago, and I no longer remember what the specifics are.

However, I can almost guarantee it is nothing as simple as requiring symbols and letters. zxcvbn has its own heuristics for determining password guessability, including such metrics like "closeness" to other simple passwords, or how quickly a computer may brute force guess it (given some assumptions).

So I don't think there's a direct comparison between what we have and what you want