Website password length

Hi,

I don’t know if this is an issue that you can resolve. However when you click forget password to your development account and want to change your password to a weak one . If you edit the source and remove the HTML disabled attribute then you are free to set any password.

Password strength checking is deliberately client side because of the user experience it offers, so there is a limit to how far we can go. In effect you are going out of your way to deliberately set a weak password which, if an attack were launched against your account, may lead to your API keys being discovered. If you’re that motivated to get around the checks, then we can’t stop you, in the same way we can’t stop you posting your password into a public place, which is just as bad. It would only be your account that could be compromised - there is no risk to the rest of the service or other accounts.

All our passwords are hashed with a very expensive bcrypt operation before being stored, so the data itself is secure.

Developers generally understand these things and, one would hope, protect themselves with strong passwords ;-).