Today I stumbled upon an article named Stop forcing your arbitrary password rules on me by Ryan Winchester. The author explains in detail, why it’s a bad idea to force arbitrary password requirements like the following:

Instead he proposes to force a minimum password entropy and suggests to use Dropbox’s zxcvbn library to calculate that. In other words: A short password using a wide range of characters should be as good as a long one using a more limited set.

No rules!

I say: A regular service should never force a minimum password requirement. Maybe your users are creating a dummy account and want to test some features. Forcing a minimum password strength will only lower conversions and won’t protect anything valuable. Instead we should only encourage them to use a good password. Using a strength indicator without any enforcements – maybe combined with a simple minimum length requirement – will be all you need to protect those accounts, that need protection.

And therefore I present redmine_zxcvbn. It’s a redmine plugin which adds a strength/quality indicator to all password fields throughout Redmine. It does not add any server side requirements concerning password quality. It only shows a little progress bar below the password field which will inform the user about the quality of their choice. It remains their responsibility to pick a password which is fit to their security requirements.



Head over to GitHub. You may find all the nitty gritty details in the README. I am missing something? Please create a bug report here.

The plugin is also listed in the Redmine Plugin directory. So if you like it, please go there and leave a 5 star review.