What are the requirements for a 'Very Strong' password under the new password policy feature - it is not documented.

Hi Hilary,

The answer isn't a simple one as there is no 'criteria' (which is why it isn't listed in the docs). We found any criteria used could easily let through a weak password. For example: Pa$$w0rd uses upper-case, lower-case, numbers and symbols as well as being at least 8 letters in length, but is obviously a very weak password and would not meet what was intended by a 'very strong' password policy.

Instead, we use a measure of entropy which is an approximation of how hard it would be for a computer to guess that password. It takes into account common lists of passwords, how easy a combination is to crack and personal information (for example, detecting the users name in their password). Ways to obtain a high entropy score include stringing 4 unrelated english words together (correcthorsebatterystaple), or use of completely random letters and numbers such as rom2dKEg6D

For more information on the library we use, you can read https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/. We should probably also include this information in the docs, I will chase it up further with our tech writers.

Let me know if you have further enquires!

Still an issue. In the UI as a new user trying to register for an account there's zero explanation when the system rejects your password selection. All you need is some language that tells you to use at least two special characters - and whatever other security measures that are preventing the terrorists from accessing the staging link for our clients' roast beef sandwich restaurant - instead of letting us play a guessing game and eventually having to pester our admin for something that works.

I have added my vote to the issue, however that is likely to take months based on past experience which is not satisfactory for a feature that has already been deployed.

Could you not tell us here what the criteria are, then we and others who search will know the answer.  The developers who wrote the code must know what the test is - the answer is in your organisation.

Hi Hilary, 

Yes, our doc is missing this strength description. We have already created a feature request (https://jira.atlassian.com/browse/CLOUD-7787) regarding this matter. Please feel free to add your comments and vote for it to make it more noticeable to our developers. Also refer to Implementation of New Feature Policy for more information on Atlassian's approach to the development of these improvements.

Let's see what dev tells us about this. 

Cheers!