Actually, my favorite hosting company (ICDSoft), recently added a password “guide” of sorts when adding email addresses. I am sure it is not the only one out there, just using as an example. It works something like this:
- Password field starts out blank, with “password strength = N/A”
- “Generate” button next to password field. Click it and you have choices of:
- Random = “any” characters mixed together, default length = 12
- Pronounceable = random lower case alpha, default length = 15
- Passphrase = random lower case alpha words, default length = 5 words (i.e., this is the XKCD thing!)
- You can regenerate if you don’t like what you get. You can adjust the length to make it stronger or weaker.
- Presumably (but I have not analyzed) the 3 password types with default lengths are of similar entropy/security level.
- When you select a password or type one in by yourself, you get a password strength (Very Weak, Weak, Fair, Strong, Very Strong) - obviously the Generate button (with default length at least) always comes up with Very Strong.
- Weak or Very Weak are NOT accepted - i.e., you can’t add an email account unless the password meets a minimum of “Fair”
I can ask ICDSoft about the algorithm/library used. There is a good chance they will tell me - they are incredibly helpful - and if it is based on open source software with a reasonable license then I think this is worth looking into. Even if not, this basic methodology seems like a good way to force the user to do “the right thing” while giving them the option of gibberish-but-shorter vs pronounceable-but-longer vs. passphrase (XKCD style - longer to type but easier to remember). And if people want to do their own thing with their own password generator, they can do that too - as long as it meets some minimums (based on entropy, not based on arbitrary “1 of this and 1 of that and min. length”).