Funny thing at work, I was handling some legacy users - we need to make sure that on the next login, if they have a weak password, they have to change it.
So the whole day I’m typing “123” as a password, 123 123 123 123 all good. So finally I’m done and now I’m testing it, and accidentally I type 1234 instead of just 123. Doesn’t really matter, either is “weak”, so I just click “Login”.
Then goes Chrome, “1234 is known as a weak password, found in breaches, you should change it”.
So TIL 123 is still good.
How does the system know that an already-established password is weak if not in plain text? Or are you saying you have a set of passwords, each of which have gone through the same cipher algorithm, and see if there are any matches?
Password strength is usually checked inside your browser, not on the server.
When setting it, sure. But if we’re talking about next login, that would imply we’re talking about passwords established in the database/server.
Then again, you do have that plaintext password available when it’s entered. Rather than checking what’s in the database, you could see what’s in the form that just triggered a successful login. That’s not as scary
deleted by creator