Requests for comment/Password strength

Create a module to check the password strength.

It must be called on account creation, password change and login.

Seems a good idea to make it create the temporary passwords, too.

When creating an account, the module can:
 * Accept the password.
 * Request confirmation for using such weak password (but otherwise create the account)
 * Reject the password

When logging in, the module can:
 * Accept the password.
 * Force a password change.
 * Forbid login in with such password (the user must change it via other means, such as email or the help desk).
 * Request confirmation the first login after the used password was added to the weak list?

For password change the options should be the same as for creating an account. The interface is harder there, though.

The default should be either to request confirmation or force password changes (based on if it's weak or really weak?), but the configuration should be flexible so that a sysadmin could tighten it.

Allow to force password change on all passwords prior to a given date (for use when the password db has been compromised).

For the future: determine a configuration suitable to represent all kinds of password politics.


 * List of common passwords to feed the module.