Releasing redmine_zxcvbn 1.0.0
Today I stumbled upon an article named Stop forcing your arbitrary password rules on me by Ryan Winchester. The author explains in detail, why it’s a bad idea to force arbitrary password requirements like the following:
"Your password must be at least 8 characters including one uppercase letter, one number, 3 Emojis & the first verse of Bohemian Rhapsody".— I Am Devloper (@iamdevloper) November 13, 2014
Instead he proposes to force a minimum password entropy and suggests to use Dropbox’s zxcvbn library to calculate that. In other words: A short password using a wide range of characters should be as good as a long one using a more limited set.
I say: A regular service should never force a minimum password requirement. Maybe your users are creating a dummy account and want to test some features. Forcing a minimum password strength will only lower conversions and won’t protect anything valuable. Instead we should only encourage them to use a good password. Using a strength indicator without any enforcements – maybe combined with a simple minimum length requirement – will be all you need to protect those accounts, that need protection.
And therefore I present redmine_zxcvbn. It’s a redmine plugin which adds a strength/quality indicator to all password fields throughout Redmine. It does not add any server side requirements concerning password quality. It only shows a little progress bar below the password field which will inform the user about the quality of their choice. It remains their responsibility to pick a password which is fit to their security requirements.
The plugin is also listed in the Redmine Plugin directory. So if you like it, please go there and leave a 5 star review.
I mainly work with Rails, Backbone, and Bootstrap, but I am also good at picking up new frameworks, since I will probably know most of their concepts from other projects.