[Feature]: Allow weak Password again

[rezzorix]

🏷️ Feature Request Type

Other

🔖 Feature description

Since v1.10.0 no weak passwords are allowed anymore.
Please offer at least an option to allow the use of weak passwords.

✔️ Solution

Having password complexity in general is fine - but hey, please offer at least an option to use weak passwords.

❓ Alternatives

📝 Additional Context

I am sure a lot people run UK in a strict local environment only, therefore a simple and easy PW is preferred.

⚠️ Please verify that this feature request has NOT been suggested before.

• I checked and didn't find similar feature request

[louislam]

Currently I used this library to check the password.
https://check-password-strength.netlify.app/

If it is too weak, Uptime Kuma will reject it.

I found that the library isn't perfect, because some passwords like lskdfjlkshlgklhakjfhklsjfjksljlsafsdr is still too weak.
We could discuss a better solution.

[rezzorix]

Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway.
Thats not strong at all 😉

Maybe I should be more specific; with weak I mean simple.
On my local monitors I use username=password; really simple stuff.
Means for example username 123, PW 123...

On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway...

If could switch off the requirement for login on some machines would even be easier.

[chakflying]

I'm a fan of password strength based on entropy. This library, while doesn't seem very popular, seem to be pretty comprehensive in combining different tests.

In terms of allowing weak passwords, I thought using a password manager is already the norm these days? There really shouldn't be any excuse for a weak password just because it's easier to type.

[rezzorix]

Believe me, I am using a PW manager.
But when you have dynamically changing IPs and not use any domain names in a local network, you dont wanna fill up your PW manager with useless entries.

Thats why: allow weak or no PWs please.

All this "strong PW" talk is fine - I am not against it, but use-by-use case please - dont enforce it where it might not be required. At least offer the option to choose the password policy.

[EzxD]

maybe consider something like that:
https://stackoverflow.com/questions/5142103/regex-to-validate-password-strength

[louislam]

Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway. Thats not strong at all 😉

Maybe I should be more specific; with weak I mean simple. On my local monitors I use username=password; really simple stuff. Means for example username 123, PW 123...

On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway...

If could switch off the requirement for login on some machines would even be easier.

I would suggest something like abc123. 123 is clearly too short in my opinion.

FYI: I got CWE-521 report recently, that is why I added this.
https://cwe.mitre.org/data/definitions/521.html

Thats why: allow weak or no PWs please.

You could disable auth in the settings page btw.

[rezzorix]

Thats why: allow weak or no PWs please.

You could disable auth in the settings page btw.

Oh man... just saw this option now; I thought it had a different purpose...
Forget my request - I just disable auth.

For stronger passwords I however would still suggest to let the complexity be set by the admin.

[andreasbrett]

There really shouldn't be any excuse for a weak password just because it's easier to type.

Exactly. If it really needs to be easy to type just use a passphrase rather than a password.

I'm a fan of password strength based on entropy. This library, while doesn't seem very popular, seem to be pretty comprehensive in combining different tests.

I'm not a fan of entropy-based password strength determination. It's proven that some weak passwords have high entropy. One great alternative library is zxcvbn that will - just like tai - provide quite a few details on the domain of password weakness ("phrase contained in US movie database", l33t variations, top100 password etc) but is not based on entropy but rather has been developed differently.

Some more details:

• blog post: https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation
• talk at USENIX Security 2016: https://www.youtube.com/watch?v=vf37jh3dV2I

It's easy to use and gives a lot of metrics to determine what you want to have. For UK I could think of simply using the "unthrottled online attack" metric (maybe a slider in the settings to set "how many days should cracking this password take at minimum". Or even simpler - setting minimum score (though this scales only from 0 to 4).

So a password abc123 would be cracked within 1.4 seconds:

{
  password: 'abc123',
  guesses: 14,
  guesses_log10: 1.1461280356782377,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 5,
      token: 'abc123',
      matched_word: 'abc123',
      rank: 13,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 13,
      uppercase_variations: 1,
      l33t_variations: 1,
      guesses: 13,
      guesses_log10: 1.1139433523068367
    }
  ],
  calc_time: 4,
  crack_times_seconds: {
    online_throttling_100_per_hour: 504,
    online_no_throttling_10_per_second: 1.4,
    offline_slow_hashing_1e4_per_second: 0.0014,
    offline_fast_hashing_1e10_per_second: 1.4e-9
  },
  crack_times_display: {
    online_throttling_100_per_hour: '8 minutes',
    online_no_throttling_10_per_second: '1 second',
    offline_slow_hashing_1e4_per_second: 'less than a second',
    offline_fast_hashing_1e10_per_second: 'less than a second'
  },
  score: 0,
  feedback: {
    warning: 'This is a top-100 common password',
    suggestions: [ 'Add another word or two. Uncommon words are better.' ]
  }
}

While passphrase JohnnyCactusRainbow would take 133559128 seconds = 4 years to crack:

{
  password: 'JohnnyCactusRainbow',
  guesses: 1335591280,
  guesses_log10: 9.125673574907456,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 5,
      token: 'Johnny',
      matched_word: 'johnny',
      rank: 95,
      dictionary_name: 'male_names',
      reversed: false,
      l33t: false,
      base_guesses: 95,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 190,
      guesses_log10: 2.278753600952829
    },
    {
      pattern: 'dictionary',
      i: 6,
      j: 11,
      token: 'Cactus',
      matched_word: 'cactus',
      rank: 1173,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 1173,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 2346,
      guesses_log10: 3.37032800777951
    },
    {
      pattern: 'dictionary',
      i: 12,
      j: 18,
      token: 'Rainbow',
      matched_word: 'rainbow',
      rank: 231,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 231,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 462,
      guesses_log10: 2.6646419755561253
    }
  ],
  calc_time: 5,
  crack_times_seconds: {
    online_throttling_100_per_hour: 48081286080,
    online_no_throttling_10_per_second: 133559128,
    offline_slow_hashing_1e4_per_second: 133559.128,
    offline_fast_hashing_1e10_per_second: 0.133559128
  },
  crack_times_display: {
    online_throttling_100_per_hour: 'centuries',
    online_no_throttling_10_per_second: '4 years',
    offline_slow_hashing_1e4_per_second: '2 days',
    offline_fast_hashing_1e10_per_second: 'less than a second'
  },
  score: 3,
  feedback: { warning: '', suggestions: [] }
}

The above mentioned lskdfjlkshlgklhakjfhklsjfjksljlsafsdr would take centuries to crack (and just because it's all lowercase doesn't mean it's weak - it is very long and random and therefore quite secure):

{
  password: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr',
  guesses: 1e+37,
  guesses_log10: 37,
  sequence: [
    {
      pattern: 'bruteforce',
      token: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr',
      i: 0,
      j: 36,
      guesses: 1e+37,
      guesses_log10: 37
    }
  ],
  calc_time: 7,
  crack_times_seconds: {
    online_throttling_100_per_hour: 3.6e+38,
    online_no_throttling_10_per_second: 9.999999999999999e+35,
    offline_slow_hashing_1e4_per_second: 1e+33,
    offline_fast_hashing_1e10_per_second: 1e+27
  },
  crack_times_display: {
    online_throttling_100_per_hour: 'centuries',
    online_no_throttling_10_per_second: 'centuries',
    offline_slow_hashing_1e4_per_second: 'centuries',
    offline_fast_hashing_1e10_per_second: 'centuries'
  },
  score: 4,
  feedback: { warning: '', suggestions: [] }
}

[louislam]

Forget my request - I just disable auth.

No problem, I close this issue since I believe that weak password would not be accepted again.