What are the criteria Boardmaker Online uses to determine if a password is strong enough?

January 14, 2019

Following the guidelines required by NIST SP 800-63B  the following requirements have be placed on passwords for Tobii Dynavox Single Sign On accounts.

  • 8 character minimum
  • Cannot be present on a list consisting of passwords from previous public security breaches, commonly used dictionary words and repetitive or sequential characters. An open source framework (zxcvbn ) is used to score passwords based on these criteria.
  • Guidance is offered to the user, in the form of a strength meter & text explaining the reasoning for a password's rejection.

Using zxcvbn, passwords scored as "Not Secure" or "Weak" if they use any of the following:
  • common dictionary words
  • common names and surnames
  • common dates
  • straight rows or short keyboard patterns
  • sequential characters like "aaa" or repeating characters like "abcabcabc"
  • predictable substitutions like '@' instead of 'a' or uppercase letters do not exclude a password from the restrictions
References
NIST.SP.800-63b (Authentication and Lifecycle Management).pdf
zxcvbn: Low-Budget Password Strength by Estimation Daniel Lowe Wheeler, Dropbox Inc.