Problem/Motivation

In #432962: Add option to disable password strength checking a discussion arose that the password strength check should be disabled by default. This issue has been created to host that discussion.

Proposed resolution

The proposed resolution is to disable the password strength check by default.

Remaining tasks

Discuss this issue in order to arrive at a resolution.

User interface changes

The option to enable the password strength check would be disabled by default as opposed to enabled.

API changes

None.

#432962: Add option to disable password strength checking

Comments

In comment #32 of #432962: Add option to disable password strength checking @darioshanghai says:

Password checker should be optional and disabled.

- it's confusing to use
- it's not necessary. Even big websites don't have one (google? facebook? twitter?)
- it takes a split second to tick the appropriate tickbox to enable, while it can take an hour or two to figure out how to disable it

Speaking as unexperienced developer, it's very frustrating and incredibly time consuming to have to figure stuff out to REMOVE features. In my particular case I have tried for over one hour editing CSS and the damn thing, although invisible, is causing a blank space to appear all of a sudden under the password box, on drupal 7 with the included theme. (See image).

What's gonna happen is that I'll have to just live with it or accept a crappy theme until I learn how to hack the core. This is wrong.

Please consider simplicity a priority. Thank you.

I don't think it's confusing to use, I do think it's necessary as we want to encourage more security where we can.

If it's there and you want to find out how to disable it then we now have a solution for that once #432962: Add option to disable password strength checking has been committed. It will take a split second to disable whereas could take a lifetime to discover if you don't even know it's there so wouldn't even be asking how to switch it on.

Earlier in the discussion in comment #12 @Dries says:

In 95% of the cases, it _is_ useful to have the password strength check.

If we disable by default, the majority of users won't even know the functionality is there, and we want to be encouraging more security where we can.

I agree more with Dries that it is more useful than not, and provided there is an easy way to disable it, which #432962: Add option to disable password strength checking addresses, then we are ok and this issue should be set as closed (won't fix).

Status:Needs review» Active

I'd agree that this is an important security feature, so I'm generally -1 on disabling it by default.

Setting active since there's not a patch here. Thanks @stevepurkiss!

Status:Active» Needs review

I disagree with the intent here. As stevepurkiss notes, most site builders won't even come across the option and it won't ever be turned on—which isn't the end of the world, but it's good to have. With the option to disable it, those who want to may, but it should not be disabled by default.

Minor correction: the original comment requesting disabled-by-default was #432962-31: Add option to disable password strength checking.

MBroberg made a legit point in this comment.

I have users that like using comfortable, familiar, easy passwords. They feel that the warnings force them to change to a difficult password, then they forget what it was, then they get upset that this is "required". A warning might be nice, but gentler, so that they don't feel like it is mandatory (they usually don't read fine print) .
So yes it is needed and should be up to the site designer.

I'd like to use his argument to make the case against disabling by default as we don't want the admin user to create a "comfortable, familiar, easy" password; we always want them to create a difficult - and thus, more secure - password and the indicator allows them to know immediately if their password meets that criteria.

If users really are getting confused then we should open another UX/UI issue to redesign the way the indicator is presented.

Status:Needs review» Active

If the path is to make it easier to allow users to have bad passwords, it makes more sense to have passwordless access as a core option. Ship has sailed...

Reverting to active.

As much as I personally hate the password strength checker, science (Science!) says that password strength check actually does result in change of user habits.

Since #432962 has been committed, and it is possible to disable this via config, I'll put in my -1 vote on this feature.

(There are already some issues floating around about how Drupal's password strength checker doesn't provide very good advice, so I'll refrain from ranting about that.)

This issue has been open for 11 months, and the comments thus far have been 100% against disabling the password checker by default. I'm also against disabling the checker by default. I think the reasons on both sides have been articulated. Can we close this as a "won't fix" now?

Status:Active» Closed (won't fix)

Yep, I think so.