Is your feature request related to a problem? Please describe.
Kratos is not accepting any password that has been in a security breach in the past according to the great haveibeenpwned website. It sounds good on the paper but in practice I feel like too many people will simply give up registering, or set a password that they will immediately forget.
Describe the solution you'd like
Requiring passwords that have never been in a breach is a good idea in many scenarios. It should probably be the default, but I think a configurable threshold can be a good usability improvement in scenarios where a relatively weak password is acceptable.
Describe alternatives you've considered
–
Additional context
I don't have data to back up my claims but here is what I found with a quick search:
Troy Hunt's point of view : "it depends"
The true cost of unusable password policies: password use in the wild: "policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use."
Rethinking Password Policies:
"Is the user able to understand what is required of her; Can the user understand how to use the
security mechanism properly, recognize when she’s failed, and understand why?
- Is the user capable of using the mechanism properly?
- Does the user understand the goal of the security mechanism;
- Is the user motivated to follow the security requirements?
- Do the requirements and interface match the user’s understanding of the security goals?"
Encountering stronger password requirements: user attitudes and behaviors
"Some users struggle to comply with new password requirements. Most users created their new password in a single attempt, and believed they would be able to login in one try. However, 19% of users reported already forgetting their new passwords. " (explicit rules in this test).
Is your feature request related to a problem? Please describe.
Kratos is not accepting any password that has been in a security breach in the past according to the great haveibeenpwned website. It sounds good on the paper but in practice I feel like too many people will simply give up registering, or set a password that they will immediately forget.
Describe the solution you'd like
Requiring passwords that have never been in a breach is a good idea in many scenarios. It should probably be the default, but I think a configurable threshold can be a good usability improvement in scenarios where a relatively weak password is acceptable.
Describe alternatives you've considered
–
Additional context
I don't have data to back up my claims but here is what I found with a quick search:
Troy Hunt's point of view : "it depends"
The true cost of unusable password policies: password use in the wild: "policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use."
Rethinking Password Policies:
"Is the user able to understand what is required of her; Can the user understand how to use the
security mechanism properly, recognize when she’s failed, and understand why?
Encountering stronger password requirements: user attitudes and behaviors
"Some users struggle to comply with new password requirements. Most users created their new password in a single attempt, and believed they would be able to login in one try. However, 19% of users reported already forgetting their new passwords. " (explicit rules in this test).