Should we advise users to enhance their passwords by brute-forcing them up to a reasonable amount of time using common password picking techniques?

There was a recent post about this on which I can’t find right now, basically OP received an email from a site they had an account on, and the email said that the site brute-forced the password and was able to pick it very quickly. Poster asked if they were safe and what was going on. I’ve seen similar posts on reddit and very often people get confused by these emails.

Do you think this “you have a very weak password” warning notification/email is something we should do?

If so, how should we explain it to users that their account it safe and wasn’t hacked or something, as apparently many users get scared of similar notifications?

There are already many typical notifications when you create a password (telling how weak or strong your passwords is, mostly by counting number of characters and use of variaton). This should be easy to implement (I guess these are available as open source packages).

Personally, I believe

  • It is not really our task to educate (by force) the users in picking good passwords.
  • Those simple strength measures are not that accurate, and they already perceive a password as strong when a suffix or prefix number is added or a capital is added at the beginning or the end (which is not really large randomness).
  • Actively brute-forcing is not necessary, you just need to verify the characteristics of the password. You do no really have to brute-force it. (possibly that specific site decided to test passwords retroactively - when they only have the hashed but not the real password - but when you test the passwords at the moment they are created you do not need to brute-force them)
  • Codidact is not your online bankaccount.
  • Websites with restrictive passwords annoy me massively (either they accept too little characters or do not allow sufficient length - although this occurs much less now - or they enforce you to obligatory use more than you typically use). If a person desires to use a XKCD-style ( MVP: Account database scheme suggestion - #35 by manassehkatz ) password sentence of 25 characters length, then why would we dismiss that. Let users use what they wish to use (it might be even more secure than us meddling with their trusted methods and creating confusion).

No. I hate that kind of nanny-ism. It’s my account.

Keep some perspective. This is an on-line forum, not a bank.


I read somewhere that people who use weak passwords are likely to reuse them or use very similar variations which are easy to guess, so in case of a leak of password to a forum they might have the same password on their online banking account, so I think it’s a good idea if we consider that.

Here are a couple links with numbers, not sure about source credibility, but it’s better than “I read somewhere”:

Me too, and I don’t mean to propose overly complicated password complexity rules as a requirement, so that you can just use password123 and be done, if you really want to have that password. I just think it would be a good idea to actively educate users about password security on a site where people seek knowledge and betterment of themselves. Kinda fits with the overall vibe, you know.


There are precious few password strength meter libraries by people who know what they are talking about, but zxcvbn comes highly recommended for good reason. It’s based on the same kinds of wordlist and pattern-based logic that real password crackers use, gives feedback for why a password is weak, does well in tests using real world breached passwords, and is ported to a variety of common ecosystems. Combined with a test against the Have I Been Pwned Passwords API we’d have a pretty secure yet usable system.