Skip to main content

Cookie settings

We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want.



Analytics and statistics


[Security] Visual password strength meter (OWASP ASVS v4.0.3-2.1.8)

Avatar: AH

Is your feature request related to a problem? Please describe.
Currently Decidim does not instruct users much about if the password they chose is weak or strong one.

OWASP Application Security Verification Standard (ASVS) version 4.0.3 suggests to show a visual password strength meter to indicate users if the password they selected is strong enough.

This comes from recommendation numbered 2.1.8 which states the following:

Verify that a password strength meter is provided to help users set a stronger password.

Further reading/reference:

Describe the solution you'd like
We ask the user to enter an account password in four places of the application:

  1. When signing up / on the registration form
  2. When changing the account settings at /account
  3. When resetting the password after forgotten password at /users/password/new
  4. When asking admins to reset their password regularly at /change_password

In both these places we should have a visual "meter" which indicates the user if their password is strong or not.

A good reference for this is e.g. the password strength meter for angular which can be tested here:

GitHub repository:

In addition to the visual strength level guide, there should be also a text representation of the current level, i.e. "very weak", "weak", "moderate", "strong" or "very strong".

Describe alternatives you've considered
According to the OWASP ASVS, there are no alternatives to support this requirement.

The implementation details can be further discussed to reach the best possible solution.

Additional context
This issue has been identified by security experts who have evaluated the Decidim platform version 0.27.

For evaluating the password strength, we can use the same algorithm that the example implementation uses:

Does this issue could impact on users private data?
It does not affect users private data but it improves user security which can have positive implications on the user data (e.g. harder to hack the user accounts).

Funded by



Please log in

The password is too short.