phpBB 3.0 has following options for password complexity:
- No requirements
- Must be mixed case
- Must contain letters and numbers
- Must contain symbols
Blacklisting
I'm sorry, but following passwords shouldn't be allowed. 'password', '123456' (and variations of it). In fact, any of these. These passwords should be banned.
Password complexity plugins
It would be nice to have a pluggable password complexity architecture. This allows easy addition of new options, also through MODs.
Side note: Of course these plugins must not use any web services to validate the passwords ( ), perhaps a form of signing could be employed that warns the admin if he tries to use a non-validated plugin.
Composability
Building on the plugin idea, it should be possible to combine the plugins. An "AND" check on all of the currently active ones should be good enough.
Additional options
- Mustn't be username
- Mustn't be (dictionary word)(number)
- You name it!
It would be nice to be able to generate a random password using javascript. Not sure if this is feasible in terms of entropy and RNG implementation, though.