zulip: portico: Add zxcvbn error messages and time-to-crack on registration page.

Update: To complete this issue, please rebase #6513 and address the feedback.

A surprisingly common frustration while registering for Zulip is that our password checker, zxcvbn, will consider someone’s password (like d0nth4ckMe) too weak, and they won’t understand why. I think a good user doc here (that we could link to from the error message) would help a lot.

Suggested content: title: Why does Zulip think my password is too weak

Zulip uses the zxcvbn password checker, which makes a guess as to how long a modern password cracker will take to guess your password. If zxcvbn can crack your password in less than a certain amount of time (a couple of hours by default, but the server admin can change this), then we don’t allow the password. Explain that we only have false negatives; e.g. if zxcvbn thinks your password is weak, it has a proof that it is weak, but it doesn’t check for everything, so just because it thinks your password is strong doesn’t mean it is actually strong.

Some tips for making strong passwords: don’t use repeated letters, suggest things like 1password, maybe embed the xkcd comic. Also explain not reusing passwords.

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Comments: 38 (22 by maintainers)

Commits related to this issue

Most upvoted comments

@rishig @alya The issue is assigned to @visuvasi , but I see that there is no update on it for a long time. So can you pls assign this issue to me. Thanks.

+1
aniruddhabagal on Feb 24, 2023

Just noting the state of this, since it took me a bit of reading this thread to figure it out: https://github.com/zulip/zulip/pull/6513 is a mostly complete PR for this, but likely needs a bit of styling and word choice.

+1
rishig on Mar 2, 2019
Read more comments on GitHub
← zulip: Overlapping alert words bug
zulip: SAML Authentication failed: The response was received at wrong URL →