Requirement for "at least two of the sets of uppercase ... punctuation ... numbers" is silly

The requirement is quite real. It's only a requirement for Canonical employees at this time.

That's begging the question. I didn't say it wasn't real, I said that it was overcomplicated and unhelpful.

I should have been in a Hangout right now, but I'm not, because SSO reset my passphrase again.

Instead of requiring two of lower-case letters, upper-case letters, or numerals, apparently it now requires all three of them. That makes it slightly easier to explain, but even harder to comply with, so overall silliness remains unchanged.

The original steps to reproduce still apply: the strength indicator admits that "ambivalent green arguments" is a "Fair" password -- an epic understatement -- but then refuses to accept it! (Obviously that's just an example, not the particular words I'm using.) <http://www.baekdal.com/insights/password-security-usability>

That SSO has reset my passphrase at all is also slightly alarming. Have you reset the passphrase for hundreds of Canonical employees twice in two weeks, or just those whose passphrases didn't meet the criteria? If the former, that's a lot of employee time you're taking up. And if the latter, how do you know whose existing passphrases didn't meet the criteria?

Hi mpt,

A few answers:

> Instead of requiring two of lower-case letters, upper-case letters, or numerals, apparently it now requires all three of them

Yes, we do require all three of them now, but only for Canonical employees. This is a requirement to comply with PCI standards.

> the strength indicator admits that "ambivalent green arguments"

The visual strength indicator is intended to validate password policy for regular users, not Canonical employees, so that's why is green for password that are valid for the regular policy, but not for the Canonical policy

> Have you reset the passphrase for hundreds of Canonical employees

No, we have not reset any passphrase "in advanced".

> How do you know whose existing passphrases didn't meet the criteria?

When you're entering your email and password we have the password in plain text, so is straightforward to check that a specific policy is valid for a given password. If it's not, we force a password reset.

I hope my answers give you a clearer picture of the status of password constraints.

<https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/> gives a more detailed overview of why your current requirements are silly. It also provides code for, and a demo of, a better password strength tester.