Why isn't a client-side password complexity check considered secure?

You’re assuming that the check is bypassed on purpose. It could be the case that someone is using a browser which fails to handle the script properly or with scripts disabled, possibly even without knowing this.

You seem to have a reason for people to use strong passwords. If you do so, why accept that people can bypass it?

Client-side validation can be helpful from a usability perspective, but if you decide that a minimum password strength is required, you should enforce it by implementing it server-side.


The rule when writing a server application is simply never trust what comes from client. Checks done client side are great as they allow a nice user experience with nice popups and immediate display. But as anything can happen, from a disabled javascript browser to a user using a scripting language to simulate a browser, all checks must be done (again) server side.

If strong passwords are just recommended, do what you want, if they are a requirement, you must implement a check server side.

BTW: you as the dev can propose solutions, but the client does express requirements. If you do not agree with them you can ask for clarification and propose other ways, but in the end the client will decide.


If the user MUST set a strong password, checking the password strength only on the client side is a vulnerability.

Example

If you work in a big company and you have to change your password every 2 or 3 months a few people will start bypassing the client-side check of password strength to use shorter or better to memorize passwords. If these passwords are used to derive cryptographic keys, e.g. for multi-user encryption of files, it becomes horrible...

Solution

Always check the password strength at the server and optionally check the password strength at the client to decrease requests to the server.

Recommended library: ZXCVBN

  • Uses pattern matching and checks for most used passwords to estimate password strength.
  • Is available in multiple programing languages

Tags:

Password Policy

Related

Is it possible to "fake" being connected to a router? Why use HTTPS Everywhere when we have HSTS supported browsers? Facebook's warning of self-xss Is it unsafe to show message that username/account does not exist at login? Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected? Why can't Let's Encrypt support wildcard certificates? Risks of explicitly trusting SSL certificate vs relying on certificate chain for validation? Forgot your password: "New password must have a minimum of 4 characters different from the previous password" Why should I offer HTTP in addition to HTTPS? How to determine and control extent of data passing through VPN connection? Why JMP ESP instead of directly jumping into the stack Store encrypted user data in database

Recent Posts