Encourage strong passwords by indicating when passwords are weak (and when password don't match) #13070
Comments
sgiehl
added
the
Enhancement
|
That could also be added in admin when changing the own password or creating new users |
mattab
changed the title
mattab
added
the
c: Security
mattab
changed the title
|
Thanks for the suggestion, it would be great & valuable to encourage users to create strong passwords. Maybe we could create+link to a FAQ on Matomo.org explaining that it's important to use password managers, and store the encrypted database on a backed up drive. Regarding the indicator when password don't match... maybe we could even remove the need to type the password twice, and only have the password field once? As long as people have a valid email address in their profile they can easily reset the password if there was a typo. See also #19961 |
|
You could also include a most popular password list and throw an error if the entered password appears in there |
|
I'm moving this to 3.7 as it has a huge security benefit. (move it back, if you have planned it for a later release) |
|
Moving it back to the backlog as it currently doesn't have a priority. |
Findus23
added
the
c: Usability
|
I disagree with my old post above. I don't think (anymore) that a password strength indicator has a huge security benefit. And any indicator is either incorrect or too simplified or ends up replicating Dropbox's zxcvbn which is too huge for frontend. And one can already easily write a plugin that validates submitted plugins with it. |
I think it'd be helpful for the admin to have the following dynamic (JS-driven) indicators, just like WordPress:
The text was updated successfully, but these errors were encountered: