R – How to enforce strong passwords


There are many techniques to enforce strong passwords on website:

  • Requesting that passwords pass a regex of varying complexity
  • Setting the password autonomously, so that casual users have a strong password
  • Letting passwords expire
  • etc.

On the other hands there are drawbacks, because all of them make life less easy for the user, meaning less registrations.

So, what techniques do you use? Which provide the best protection vs. inconvenience ratio?

To clear things up, I am not referring to banking sites or sites that store credit cards. Think more in terms of popular (or not-so-popular) sites that still require registration.

Best Solution

I don't think it's possible to enforce strong passwords, but there are lots of things you can do to encourage them as much as possible.

  • Rate each password and give the user feedback in the form of a score or a graphical bar, etc.
  • Set a minimum password score to weed out the awful ones
  • Have a list of common words that are either banned, or tank the password score

One excellent trick I like to use is to have the password's expiry date tied to the password score. So stronger passwords don't need to be changed so often. This works particularly well if you can give users direct feedback about how long the password they've chosen will live for (and dynamically update it so they can see how adding characters affects the date).