Upon cursory inspection, it appears that efforts to make the password checker functionality in the user system more user friendly may have resulted in functionality that is not equal to or greater than that which exists in Drupal 6 with respect to proper password strength assessment.

To reproduce the issue:

  1. Create a new user in a D7 installation
  2. Enter something terrible, such as the string password as the password
  3. Note the Fair rating
  4. Repeat steps #1 and #2 in a D6 installation
  5. Note the Low rating

What I was expecting:

  1. The same behavior from both systems
  2. The correct behavior (e.g. identifying a common English language dictionary word with a 'low' rating seems to be the correct behavior)

What Happened Instead:

As shown in the attached screenshot, I entered the following password into both Drupal 6 and Drupal 7 password fields, and received a differing assessment of my chosen password's strength:

  • Drupal 6 reported that the strength of my chosen password was Low.
  • Drupal 7 reported that the strength of my chosen password was Fair.

The password I chose to test: password

This difference in opinion on the password strength raises some questions:

  • Is the Drupal 7 password strength checking code radically altered from Drupal 6 in a way that can perhaps now inspire false confidence in weak passwords (such as in the case illustrated by the example provided)?
  • Is the Drupal 7 password strength checking code not currently aware of of common garbage passwords, using lone dictionary words, and other similar bad password patterns?

Thanks for your time!

CommentFileSizeAuthor
#1 drupal_password_strength.jpg63.12 KBbrianshumate

Comments

brianshumate’s picture

brianshumate commented
StatusFileSize
new drupal_password_strength.jpg63.12 KB
Bojhan’s picture

Bojhan commented
Issue tags: -Usability, -password, -D7UX

Lets go with an actual appropriate tag. I expect the last of your listed items, garbage passwords to apply here.

brianshumate’s picture

brianshumate commented

I suppose I was mistaken in my thinking that this new password strength interface was improved based on D7UX feedback, but that is not the case after all?

Also, Bojhan, are you confident that this issue has nothing to do with usability? I don't think I can agree with that assessment. Can you please explain why the tags I used aren't appropriate? I'd like to avoid mis-tagging future issues.

Thanks

brianshumate’s picture

brianshumate commented
Status: Active » Closed (duplicate)

This issue looks similar: http://drupal.org/node/454014

There are probably others, so I'll close this and forget about it.