There are at least two different issues in the password strength checks. 1. Multi-byte characters like 'ö', '€', 'é' are counted by byte. One multi-byte charater counts more than one character. This breaks the password length check. Since the typical minimum length is 7, passwords like "öäüö" are approved by the length check, because the length is 8. 2. The password quality checker check_password_quality(const char *s) from lib/util/genrand.c is (probably) intended to check whether the password contains 3 of the following five categories: - uppercase characters - lower case characters - digits - other ascii characters (like @,-_^=*: ...) - characters which are out of typical ascii range (multi-byte?) But the check is broken. The function checks whether the password contents 3 or more characters of the first 4 categories _OR_ the number of characters, that are out of ascii range, is greater than the half length of the password. That means, that a password like "ö" is a complex password. The "ö" causes a numer of 2 non-ascii characters, which is greater than the half password length, which is 1. The code from the check_password_quality function: has_high > strlen(reals)/2 Where has_high is number of _bytes_ that are non-ascii characters. Microsoft composed the following rules (among others) for quality checks. This is an abridgment from http://msdn.microsoft.com/en-us/subscriptions/cc786468%28v=ws.10%29.aspx: Passwords must contain characters from three of the following five categories: - Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) - Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Thanks for the analysis. I'm pretty sure this is a dup or extension of #9105 which I dropped the ball on. Let's just have one bug for this, and finally get this fixed. *** This bug has been marked as a duplicate of bug 9105 ***