| While it can, my opinion is the client and server should not enforce anything about password strength, but MAY warn the user about weak passwords. The criteria that I think would be acceptable to be enforced includes: - A maximum (not a minimum) length, which must be suitably long, perhaps 200 bytes (or longer). - Rejecting passwords containing null bytes. - Rejecting passwords containing sequences of bytes that cannot be transmitted using the protocol, if it is necessary to transmit the password using the protocol at all (which it might not be, since it might use a hash instead). (This depends on the protocol.) - If despite the advice above, the client knows that the server will reject other passwords too, and knows precisely what the criteria are, the client can reject the same passwords. Examples of some things that should be allowed (and should not be rejected) include: - Passwords that are short. - Passwords that include your username as a substring. - Character classes/lack of character classes (e.g. you should not require nor prohibit punctuation). - Control characters (if not causing problems with the protocol like mentioned above). - Invalid UTF-8 sequences. (Just because they are allowed though, does not necessarily mean that they should be recommended.) Also, passwords should always be case-sensitive. The user should decide by themself what password they want to set, although it is OK to include advice that is optional. |