Potentially misleading strength indications. eg PW "123456" should be "less than 1s", not "1 day"

[dlmetcalf]

While technically the password "123456" or "secret" can be cracked in less than 1 day, many readers will interpret that to mean close to a day, or at least in that order of magnitude.

In reality, such passwords are of course cracked in milliseconds. Hence, it quite risks misleading many users into believing their passwords are FAR stronger than they are.

[c-a-m]

Great point. 1 day was the smallest unit in the code. My thinking was that anything one day or less is never acceptable. However one goal of Passfault is self-education. It makes sense to communicate how much more insecure these patterns are. Thanks for the feedback

[dlmetcalf]

Cheers. I wish I had a good proposal for what to actually change it to though. I'm sure you'll come up with something. :-) The project's a great concept and very educational. This one issue's a bit of an edge case, but glad you see it too now.