Why isn't a client-side password complexity check considered secure?

You’re assuming that the check is bypassed on purpose. It could be the case that someone is using a browser which fails to handle the script properly or with scripts disabled, possibly even without knowing this.

You seem to have a reason for people to use strong passwords. If you do so, why accept that people can bypass it?

Client-side validation can be helpful from a usability perspective, but if you decide that a minimum password strength is required, you should enforce it by implementing it server-side.


The rule when writing a server application is simply never trust what comes from client. Checks done client side are great as they allow a nice user experience with nice popups and immediate display. But as anything can happen, from a disabled javascript browser to a user using a scripting language to simulate a browser, all checks must be done (again) server side.

If strong passwords are just recommended, do what you want, if they are a requirement, you must implement a check server side.

BTW: you as the dev can propose solutions, but the client does express requirements. If you do not agree with them you can ask for clarification and propose other ways, but in the end the client will decide.


If the user MUST set a strong password, checking the password strength only on the client side is a vulnerability.

Example

If you work in a big company and you have to change your password every 2 or 3 months a few people will start bypassing the client-side check of password strength to use shorter or better to memorize passwords. If these passwords are used to derive cryptographic keys, e.g. for multi-user encryption of files, it becomes horrible...

Solution

Always check the password strength at the server and optionally check the password strength at the client to decrease requests to the server.

Recommended library: ZXCVBN

  • Uses pattern matching and checks for most used passwords to estimate password strength.
  • Is available in multiple programing languages