0

what is the best way to check the strength of a password in iOS development? I came across this post: What is the best way to check the strength of a password? but this is not iOS specific. My question is - Does Apple or third party libraries provide any libraries by default which I can use to check if the user entered a secure password?

If not, then as the above post says, is using regular expressions the best way?

Does Apple have any requirements which our app needs to implement to make sure user has a secure password?

I am planning on using the keychain to store the password.

Community
  • 1
  • 1
sudoExclaimationExclaimation
  • 7,992
  • 10
  • 47
  • 105
  • Apple does not have requirements as to the strength of a password AFAIK, so there would be no standard for libraries to check passwords against. I would follow the advice of VirtuosiMedia in the post you linked to; yes, regexes are the best way. – Polyov Sep 09 '12 at 20:35
  • 1
    Password criteria seem to me to be both annoying and self-defeating. By forcing passwords into a particular mold you are not increasing the entropy in the way you would hope. Experienced users will use a good password anyway, inexperienced ones will create the weakest available password in the new scheme - `[A-Z][a-z]{4,4}[0-9!$?]` or similar How many bits more is that than `[a-z]{6,6}`? – Alex Brown Sep 09 '12 at 20:56
  • It may even be LESS bits of entropy. – Alex Brown Sep 09 '12 at 20:58
  • One other way most of iOS users work is, get a password from a tool like LastPass or 1Password. Most of the time use-case will be not to annoy users. Cheers – sathish_at_madison Sep 09 '12 at 21:46

1 Answers1

0

No, Apple doesn't provide a standard or library for determining password strength - they don't have a common policy on what constitues "secure" in that context.

Whether or not the post you link describes the best way is often a matter of opinion - Alex Brown described in the comments some reasons why attempting to validate passwords can backfire on developers. That discussion might be a little out of scope for StackOverflow, though.

Tim
  • 59,527
  • 19
  • 156
  • 165
  • @Alex Brown Thanks everyone! That's what I think too, that forcing users to use a specific type of "secure" password doesn't make their profile secure. I guess I will just leave it to the users to decide what kind of password they want to implement. I will just add a few exceptions so that users don't use really simple passwords like "password" "pa$$word" etc. – sudoExclaimationExclaimation Sep 10 '12 at 00:13