I recently saw something terrible happen again. Another website was hacked with a very simple attack. An attack that's been used time and time again. It was a brute force attack trying common usernames and passwords. This is annoying to have to fix, trouble when the server or site is being used for something malicious, and the users feel terrible for being the cause with their weak passwords. There is something we can do about it. We can put password strength testers everywhere someone sets a new password or changes an existing one. Let users know the passwords are weak and what they can do to make them stronger.
What Users Don't Know
People who build websites and maintain networks know that strong passwords make a difference. We know different ways sites and services are attacked and that a strong password makes it harder for an account to be hacked.
Everyday users don't know that strong passwords make a real difference. They may have heard about it but they aren't in the business of websites so they don't typically see the difference. If anything they know that complicated passwords are a nuisance because they are hard to remember.
What users don't know can hurt them and you. A persons information may be maliciously obtained or a server hacked and you may have to fix it. One step in the right direction is password strength testers. Let users know, while they are typing in a password, how they can make it better.
This is a common enough problem that there are plenty of free and open source scripts that already provide this functionality. Here are a few:
- jQuery Plugin: Password Validation - Provides a password strength meter where the algorithm can be overridden as well as the messages making it well suited for internationalization.
- jQuery Password Strength Meter - provides a highly configurable plugin where all the options to use in rating strength can be passed in as arguments.
- jQuery Password Strength Tester - A simple and lightly configurable password strength meter.
Whether you use one of these scripts, another script, or one of the many tutorials available on how to write something like this please consider putting password strength meters everywhere. They can make a difference.