UW-IT's password strength evaluation is a joke.
EDIT: Title might be too harsh, I would replace "is a joke" with "is not industry standard."
EDIT 2: Might be a bit too soon given the recent Canvas attack, but I thought it was relevant given that I actually had to reset my password, and most of y'all probably are doing the same. UW-IT generally does a great job but that is why this stuck out to me!
While random characters are the most resistant type of password, they will not be the type of password that results from a university-wide password reset, especially on a password that people have to reenter on multiple different platforms to access vital resources. Odds are, people will create very predictable passwords so that they can remember them. Thus, passphrases are an effective way of creating a relatively strong password, with 128 bytes of entropy (quite excessive given a good hashing algorithm like bcrypt or Argon2) requiring 10 words to remember, according to this paper. However, anyone planning to do so will be thrown this message:
A limit of 30 characters is NOT considered best practice, according to OWASP, login forms should be set to allow at least 64 characters. Long password DoS is an attack vector that exists, since modern password hashing algorithms intentionally waste clock cycles or RAM when computing, but that only truly comes into play when you allow hundreds of characters.
Furthermore, the strength estimation on the actual reset form seems to be hardcoded to require a symbol and number to not be considered "weak," something that actually allows attackers to guess exactly how many symbols and numbers the average person will place in their password (one of each).
A bunch of random lowercase letters is considered weak?
Rules imposed on password composition are also NOT considered best practice, according to OWASP. Instead this hardcoded password strength evaluator should be replaced with actual industry standard strength evaluator libraries like zxcvbn,also as recommended by OWASP. It is best to cross-reference with MITRE, NIST, and OWASP's cheat sheets when implementing any cryptography or security defenses. For those who don't know, OWASP is the Open Worldwide Application Security Project, an open-source community nonprofit widely recognized to be a good source on best practices, even by UW's own security courses, INFO 310, INFO 498 B, and CSE 484.
Sources: