Encourage strong passwords by indicating when passwords are weak (and when password don't match)

[ankush981]

I think it'd be helpful for the admin to have the following dynamic (JS-driven) indicators, just like WordPress:

• Indicator for weak passwords
• Indicator for when passwords don't match

[sgiehl]

That could also be added in admin when changing the own password or creating new users

[mattab]

Thanks for the suggestion, it would be great & valuable to encourage users to create strong passwords.

Maybe we could create+link to a FAQ on Matomo.org explaining that it's important to use password managers, and store the encrypted database on a backed up drive.

Regarding the indicator when password don't match... maybe we could even remove the need to type the password twice, and only have the password field once? As long as people have a valid email address in their profile they can easily reset the password if there was a typo.

[tsteur]

You could also include a most popular password list and throw an error if the entered password appears in there

[Findus23]

I'm moving this to 3.7 as it has a huge security benefit. (move it back, if you have planned it for a later release)
I also like @tsteur's idea of rejecting (or at least warning about) common password.
Maybe this could even be combined with the new have-i-been-pawned api:
https://haveibeenpwned.com/API/v2#PwnedPasswords

[tsteur]

Moving it back to the backlog as it currently doesn't have a priority.

[Findus23]

I disagree with my old post above. I don't think (anymore) that a password strength indicator has a huge security benefit.
For stopping terrible passwords the plugins in #13666 are enough.

And any indicator is either incorrect or too simplified or ends up replicating Dropbox's zxcvbn which is too huge for frontend. And one can already easily write a plugin that validates submitted plugins with it.