Suggestion: Add password strength feedback when setting the master password
Hi everyone,
While working on a recent PR related to the master password dialog, I noticed that when setting or changing the master password there is currently no feedback about password strength.
It might be helpful to display simple feedback while the user types a new password, such as:
Password is too short
Consider adding numbers or special characters
Strong password
This could help users create stronger passwords and improve the UX of the master password dialog.
If this sounds useful, I'd be happy to work on implementing it.
For context, I recently contributed a small fix to the master password dialog (#14566).
One of a GSoC proposals for this year is to add a password strength indicator to Joplin, presumably for the master password and encryption key passwords.
I think something that also needs to be improved is that on Joplin desktop, on a new profile, if you enable encryption without first setting the master password, you are prompted to enter a password and there is only one password input (no repeat password field) and no show/hide password toggle either. So if you enter a password there, there is no way of knowing whether or not you made a mistake, and it will use whatever you entered as the master password going forward.
Also the place where you can change the master password could do with having a repeat password field too, like when you set it up for the first time.
Thanks for pointing that out â thatâs a really good observation.
I hadnât noticed that when enabling encryption on a new profile there is only a single password field with no confirmation or show/hide toggle. That could definitely lead to users accidentally setting a password they didnât intend.
Adding a repeat password field (and possibly a show/hide toggle) there would make the flow safer. It also makes sense for the âchange master passwordâ dialog to have a repeat password field for consistency.
I can take a closer look at this part of the code and see if these improvements can be implemented along with the password strength feedback.
If this approach sounds reasonable, I can start by implementing the repeat-password field and open a pull request.
Here are links to two very reliable password strength testing sites. The testing is done locally nothing is transmitted to the web so they don't see the password that you're checking and you can verify this by disconnecting yourself from the internet when you do the actual password check after you bring up the web page it will download the code it needs to determine the strength of your password in your browser and not transmit anything back to the internet.
I think one problem with password strength calculation is that it lies when it comes to passphrases, diceware passwords, i.e. passwords that are built out of a list of dictionary words. For example, it will report a passphrase build out of 2-3 words as "very strong", even though it's actually very weak and easy to crack.
Agreed. Simple paraphrase passwords can often be tricked into being reported as being a stronger password than it really is.
In fact both of these tools can tell you that a password that's a paraphrase of five or six words will take centuries to decrypt.
I use the password generator tool incorporated into keepassxc to create my paraphrase passwords and they often complain that paraphrase passwords that are only five or six words are too weak so I often have paraphrase passwords in excess of 40 characters.
I no longer use passwords that I can remember. If I can remember it it's too easy to crack.
Good moral of the story is when created passwords especially a master password do not create a master password that is so simple that you can easily remember it. Put it in a password manager and make it very strong.
A password strength indicator could definitely be useful when setting the master password, especially for new users.
For reference, Joplin Server already uses the zxcvbn library for password strength estimation, so reusing the same logic on the client side could keep the behaviour consistent.
However, since zxcvbn may no longer be actively maintained, it might also be worth considering whether itâs still the best option long-term or if an alternative library should be evaluated.
Another thing that could help is showing short feedback on why a password is considered weak (length, common words, etc.), which usually makes the indicator more helpful than just displaying a score.
Based on the discussion, it seems there are a few possible improvements related to password input and security feedback:
Add a repeat password field when enabling encryption so users can confirm the password.
Add a show/hide password toggle for better usability.
Add a password strength indicator when setting or changing the master password.
Since Joplin Server already uses the zxcvbn library for password strength estimation, it might make sense to reuse the same logic on the client side for consistency (while also checking whether the library is still the best option long-term).
Iâm thinking of starting with the smaller UX improvements first (repeat password field and show/hide toggle), and then exploring the password strength indicator.
I expect that a repeat password field and show/hide toggle would be more important and impactful than a password strength indicator. Why? As important as password strength is, confirming that the password you entered matches what you think you typed in should come first. A strong password that doesn't match your expectation, whether via a typo or an accidental keystroke, likely becomes a forgotten one. While the Manage master password dialog does display the current password and a new password field with a show/hide toggle, confirming your password upon setting it still seems crucial for security reasons.
Besides, password strength indicators can be found in password managers, local password strength testing websites (as listed above), and elsewhere. I'm not saying that a password strength indicator is unnecessary. Rather, that there are workarounds for it but not password confirmation.
There's also the open zxcvbn maintenance question that can complicate adding in an indicator.
@Ronaldo Whatâs particularly odd is that the change master password screen does have a repeat password input, if encryption has not yet been enabled. But after being enabled the re-enter password input is no longer present on that screen, even if you disable encryption again:
Add a repeat password field when enabling encryption so users can confirm the password.
For this issue, it might make sense to just display a message which says âMaster password has not been setâ if the master password hasnât been set yet, rather than adding another form with multiple password inputs. Also I think because clicking the enable encryption button opens a dialog rather than a modal, you wouldnât be able to add a show password button without converting it to a modal.
I've created the following issues on GitHub, to cover these problems:
I think password management is best left to The Experts that make the password managers.
My password manager has a password generator that is adjustable to different strength settings and criteria and then it copies and saves your final decision to the database.
Thanks for the clarification and for creating the issues.
Iâve submitted fixes addressing both problems:
For #14659, clicking Enable encryption when no master password is set now opens the existing master password setup dialog, so the user can confirm the password properly.
For #14658, the âRe-enter passwordâ field is now always displayed on the change master password screen, even after encryption has been enabled.
Both changes were tested on the desktop app and restore the expected password confirmation behaviour. Please let me know if any adjustments are needed.
Hi everyone! Great discussion here. I'm planning to apply for the GSoC project on password strength indicators for Joplin.
Building on the issues raised here, my goal would be to integrate a library like zxcvbn to provide real-time visual feedback on password strength when setting the master password â things like a strength meter and tips like 'add special characters' or 'avoid common words'.
This would complement the fixes @Ronaldo is working on for the re-enter password field. Happy to coordinate so our work aligns well. Looking forward to contributing!
Following the earlier discussion about adding password strength feedback to the master password dialog, I have prepared a draft proposal for implementing the Password Strength Indicator feature as part of GSoC 2026 (Idea #7).
The proposal describes the approach for integrating the zxcvbn password strength evaluation library into the existing MasterPasswordDialog and implementing a React-based PasswordStrengthIndicator component that provides real-time feedback while the user types.
Key aspects include:
⢠Real-time password strength evaluation
⢠A visual strength bar and strength label
⢠Actionable suggestions for improving password quality
⢠Fully local evaluation with no network calls
