ERPNext Conference 2019* ERPNext.com Blog

Security: Password strength level meaning


#1

In Setup --> System Settings --> SECURITY, I can specify a Minimum Password score.

How can I find out what rule(s) every score level implies?
Put another way - If I set it to 5, what list of rules can I tell users will be expected of them in terms of password format adherence/conformance?


#2

Hi! The integer value scores apparently relate to complexity estimation, not actual discrete rules.

To learn more refer to these for example

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/


#3

Is there a way to know the minimum requirements?
Password length, special characters, etc.


#4

For clues a web search on zxcvbn may provide answers?

Let us know what you find!


#5

On further study and just to clarify -

ERPNext uses zxcvbn just to assess a user supplied password

Whereas passlib provides the backend functions to handle passwords

I am not familiar with passlib https://passlib.readthedocs.io/en/stable/

Since that is a business policy decision, my guess is rather than code and have to support this, ERPNext provides zxcvbn instead for user’s to assess passwords


#6

https://lowe.github.io/tryzxcvbn/ will tell you how strong the password is