Lcm password policy

[LamaKing]

What is the policy we want to apply, i.e. how to implement checkpwd.py?

Beside what AndreaTsh has already done, I think that we should at least look for exact matches of name, surname and login, as it is in the current version of userconf.

[Sbozzolo]

What do you mean? What is checkpwd supposed to do exactly?

[LamaKing]

Checkpwd.py is the script in andreatsh's branch that checks the strength of the pw inserted by users.
As for now, it strips the first and last characters and looks for 3 classes: capitol letters, lowercase and one between a number and a non-aphenumeric character.

As I said, I think it should also verify that none of the user details have been used to create the password, e.g. name, login and so on.

[Sbozzolo]

If we want something very though we could use zxcvbn. This is the package Dropbox uses. It's reliable, high-customizable, and provides indications on how the user can improve his password if requirements are not met.
The usage is really simple, it suffices calling zxcvbn('JohnSmith123', user_inputs=['John', 'Smith']) to get a score from 0 to 4, if the score is less than 3 the password is weak.
The drawback is that it adds another dependency we might not want, but I think it's worth checking out since it's a nice and well-made project.

[Sbozzolo]

Many people have problems with the current password policy, which actually is known not to be the best one. What about switching to XKCD 936 improved with symbols standard?