#787 Provide a simple built-in password strength filter

[MrMe]

I noticed that when creating a new safe, Password Safe will tell you if the passphrase is weak and too short, and still allows the user to use it. It could be useful for those importing a database into Password Safe or those that did not practice good password policy in the past and now want to address their weak passwords to have a simple menu option to see a report on the password strength of all their entries. Maybe five quality levels such as: poor/weak, good, better, best, excellent can work.

I know users can already create their own custom password policy/length filter, but a simple, built-in one with reasonable heuristics for strong vs. weak passwords, like other password managers have, is what I'm thinking. This would be especially good for new, less experienced users who may not know how to create their own filters.

The feature should however have a configuration option for users to indicate a password that should be skipped in the report since many users use a fixed default password like 'n/a' for entry where they only use the Notes and the password is a don't care.

The built-in option could go under the current View menu as for example, View>Filters>Password Strengths

[DrK]

We have looked at this in the past but, eventually, decided that there is no easy or standard method to decide if a password is strong.

It is very easy to determine that some passwords are weak i.e. too short, does not have at least one uppercase, lowercase, digit or symbol but this is not good enough for all e.g. P@55w0rd meets those requirements and has a reasonable length of 8 but is very very high on the list of simple guessable passwords.

In addition, what is strong today may be weak tomorrow depending on the advances made in the cryptography field. This means an ongoing effort to ensure that the method used is kept up to date with these advances and I am not sure the developers associated with this project have the resources to do this.

There is a significant downside on supplying this functionality within PasswordSafe if we can’t find a very good and well respected methodology for deciding the strength of a password if the user assumes we have got it right but we didn’t and their password is compromised.

[MrMe]

DrK, I agree with many of your points. As I mentioned, many password managers now have this feature, so it is something that could be useful, despite the downsides. Since Password Safe devlopers are volunteering their time, I have no expectation that this feature will be added, but just wanted to put it out there for consideration.