[Feature]: Allow weak Password again

deekerman commented

2026-02-28 01:48:50 -05:00

Owner

Originally created by @rezzorix on GitHub (Oct 31, 2021).

🏷️ Feature Request Type

Other

🔖 Feature description

Since v1.10.0 no weak passwords are allowed anymore.
Please offer at least an option to allow the use of weak passwords.

✔️ Solution

Having password complexity in general is fine - but hey, please offer at least an option to use weak passwords.

❓ Alternatives

📝 Additional Context

I am sure a lot people run UK in a strict local environment only, therefore a simple and easy PW is preferred.

⚠️ Please verify that this feature request has NOT been suggested before.

I checked and didn't find similar feature request

Originally created by @rezzorix on GitHub (Oct 31, 2021). ### 🏷️ Feature Request Type Other ### 🔖 Feature description Since v1.10.0 no weak passwords are allowed anymore. Please offer at least an option to allow the use of weak passwords. ### ✔️ Solution Having password complexity in general is fine - but hey, please offer at least an option to use weak passwords. ### ❓ Alternatives - ### 📝 Additional Context I am sure a lot people run UK in a strict local environment only, therefore a simple and easy PW is preferred. ### ⚠️ Please verify that this feature request has NOT been suggested before. - [X] I checked and didn't find similar feature request

deekerman

2026-02-28 01:48:50 -05:00

closed this issue
added the
feature-request
label

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@louislam commented on GitHub (Nov 1, 2021):

Currently I used this library to check the password.
https://check-password-strength.netlify.app/

If it is too weak, Uptime Kuma will reject it.

I found that the library isn't perfect, because some passwords like lskdfjlkshlgklhakjfhklsjfjksljlsafsdr is still too weak.
We could discuss a better solution.

@louislam commented on GitHub (Nov 1, 2021): Currently I used this library to check the password. https://check-password-strength.netlify.app/ If it is `too weak`, Uptime Kuma will reject it. I found that the library isn't perfect, because some passwords like `lskdfjlkshlgklhakjfhklsjfjksljlsafsdr` is still `too weak`. We could discuss a better solution.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@rezzorix commented on GitHub (Nov 1, 2021):

Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway.
Thats not strong at all 😉

Maybe I should be more specific; with weak I mean simple.
On my local monitors I use username=password; really simple stuff.
Means for example username 123, PW 123...

On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway...

If could switch off the requirement for login on some machines would even be easier.

@rezzorix commented on GitHub (Nov 1, 2021): Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway. Thats not strong at all 😉 Maybe I should be more specific; with weak I mean simple. On my local monitors I use username=password; really simple stuff. Means for example username 123, PW 123... On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway... If could switch off the requirement for login on some machines would even be easier.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@chakflying commented on GitHub (Nov 1, 2021):

I'm a fan of password strength based on entropy. This library, while doesn't seem very popular, seem to be pretty comprehensive in combining different tests.

In terms of allowing weak passwords, I thought using a password manager is already the norm these days? There really shouldn't be any excuse for a weak password just because it's easier to type.

@chakflying commented on GitHub (Nov 1, 2021): I'm a fan of password strength based on entropy. [This library](https://www.npmjs.com/package/tai-password-strength), while doesn't seem very popular, seem to be pretty comprehensive in combining different tests. In terms of allowing weak passwords, I thought using a password manager is already the norm these days? There really shouldn't be any excuse for a weak password just because it's easier to type.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@rezzorix commented on GitHub (Nov 1, 2021):

Believe me, I am using a PW manager.
But when you have dynamically changing IPs and not use any domain names in a local network, you dont wanna fill up your PW manager with useless entries.

Thats why: allow weak or no PWs please.

All this "strong PW" talk is fine - I am not against it, but use-by-use case please - dont enforce it where it might not be required. At least offer the option to choose the password policy.

@rezzorix commented on GitHub (Nov 1, 2021): Believe me, I am using a PW manager. But when you have dynamically changing IPs and not use any domain names in a local network, you dont wanna fill up your PW manager with useless entries. Thats why: allow weak or no PWs please. All this "strong PW" talk is fine - I am not against it, but use-by-use case please - dont enforce it where it might not be required. At least offer the option to choose the password policy.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@EzxD commented on GitHub (Nov 1, 2021):

maybe consider something like that:
https://stackoverflow.com/questions/5142103/regex-to-validate-password-strength

@EzxD commented on GitHub (Nov 1, 2021): maybe consider something like that: https://stackoverflow.com/questions/5142103/regex-to-validate-password-strength

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@louislam commented on GitHub (Nov 1, 2021):

Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway. Thats not strong at all 😉

Maybe I should be more specific; with weak I mean simple. On my local monitors I use username=password; really simple stuff. Means for example username 123, PW 123...

On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway...

If could switch off the requirement for login on some machines would even be easier.

I would suggest something like abc123. 123 is clearly too short in my opinion.

FYI: I got CWE-521 report recently, that is why I added this.
https://cwe.mitre.org/data/definitions/521.html

Thats why: allow weak or no PWs please.

You could disable auth in the settings page btw.

@louislam commented on GitHub (Nov 1, 2021): > Well, requirement for a "strong password" is now alphanumeric & min. 6 characters... thats not strong anyway. Thats not strong at all 😉 > > Maybe I should be more specific; with weak I mean simple. On my local monitors I use username=password; really simple stuff. Means for example username 123, PW 123... > > On all monitors that are somehow accessible by others or face the outside world I have strong username/pw + 2FA anyway... > > If could switch off the requirement for login on some machines would even be easier. I would suggest something like `abc123`. 123 is clearly too short in my opinion. FYI: I got CWE-521 report recently, that is why I added this. https://cwe.mitre.org/data/definitions/521.html > Thats why: allow weak or no PWs please. You could disable auth in the settings page btw.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@rezzorix commented on GitHub (Nov 1, 2021):

Thats why: allow weak or no PWs please.

You could disable auth in the settings page btw.

Oh man... just saw this option now; I thought it had a different purpose...
Forget my request - I just disable auth.

For stronger passwords I however would still suggest to let the complexity be set by the admin.

@rezzorix commented on GitHub (Nov 1, 2021): > > Thats why: allow weak or no PWs please. > > You could disable auth in the settings page btw. Oh man... just saw this option now; I thought it had a different purpose... Forget my request - I just disable auth. For stronger passwords I however would still suggest to let the complexity be set by the admin.

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@andreasbrett commented on GitHub (Nov 1, 2021):

There really shouldn't be any excuse for a weak password just because it's easier to type.

Exactly. If it really needs to be easy to type just use a passphrase rather than a password.

I'm a fan of password strength based on entropy. This library, while doesn't seem very popular, seem to be pretty comprehensive in combining different tests.

I'm not a fan of entropy-based password strength determination. It's proven that some weak passwords have high entropy. One great alternative library is zxcvbn that will - just like tai - provide quite a few details on the domain of password weakness ("phrase contained in US movie database", l33t variations, top100 password etc) but is not based on entropy but rather has been developed differently.

Some more details:

blog post: https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation
talk at USENIX Security 2016: https://www.youtube.com/watch?v=vf37jh3dV2I

It's easy to use and gives a lot of metrics to determine what you want to have. For UK I could think of simply using the "unthrottled online attack" metric (maybe a slider in the settings to set "how many days should cracking this password take at minimum". Or even simpler - setting minimum score (though this scales only from 0 to 4).

So a password abc123 would be cracked within 1.4 seconds:

{
  password: 'abc123',
  guesses: 14,
  guesses_log10: 1.1461280356782377,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 5,
      token: 'abc123',
      matched_word: 'abc123',
      rank: 13,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 13,
      uppercase_variations: 1,
      l33t_variations: 1,
      guesses: 13,
      guesses_log10: 1.1139433523068367
    }
  ],
  calc_time: 4,
  crack_times_seconds: {
    online_throttling_100_per_hour: 504,
    online_no_throttling_10_per_second: 1.4,
    offline_slow_hashing_1e4_per_second: 0.0014,
    offline_fast_hashing_1e10_per_second: 1.4e-9
  },
  crack_times_display: {
    online_throttling_100_per_hour: '8 minutes',
    online_no_throttling_10_per_second: '1 second',
    offline_slow_hashing_1e4_per_second: 'less than a second',
    offline_fast_hashing_1e10_per_second: 'less than a second'
  },
  score: 0,
  feedback: {
    warning: 'This is a top-100 common password',
    suggestions: [ 'Add another word or two. Uncommon words are better.' ]
  }
}

While passphrase JohnnyCactusRainbow would take 133559128 seconds = 4 years to crack:

{
  password: 'JohnnyCactusRainbow',
  guesses: 1335591280,
  guesses_log10: 9.125673574907456,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 5,
      token: 'Johnny',
      matched_word: 'johnny',
      rank: 95,
      dictionary_name: 'male_names',
      reversed: false,
      l33t: false,
      base_guesses: 95,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 190,
      guesses_log10: 2.278753600952829
    },
    {
      pattern: 'dictionary',
      i: 6,
      j: 11,
      token: 'Cactus',
      matched_word: 'cactus',
      rank: 1173,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 1173,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 2346,
      guesses_log10: 3.37032800777951
    },
    {
      pattern: 'dictionary',
      i: 12,
      j: 18,
      token: 'Rainbow',
      matched_word: 'rainbow',
      rank: 231,
      dictionary_name: 'passwords',
      reversed: false,
      l33t: false,
      base_guesses: 231,
      uppercase_variations: 2,
      l33t_variations: 1,
      guesses: 462,
      guesses_log10: 2.6646419755561253
    }
  ],
  calc_time: 5,
  crack_times_seconds: {
    online_throttling_100_per_hour: 48081286080,
    online_no_throttling_10_per_second: 133559128,
    offline_slow_hashing_1e4_per_second: 133559.128,
    offline_fast_hashing_1e10_per_second: 0.133559128
  },
  crack_times_display: {
    online_throttling_100_per_hour: 'centuries',
    online_no_throttling_10_per_second: '4 years',
    offline_slow_hashing_1e4_per_second: '2 days',
    offline_fast_hashing_1e10_per_second: 'less than a second'
  },
  score: 3,
  feedback: { warning: '', suggestions: [] }
}

The above mentioned lskdfjlkshlgklhakjfhklsjfjksljlsafsdr would take centuries to crack (and just because it's all lowercase doesn't mean it's weak - it is very long and random and therefore quite secure):

{
  password: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr',
  guesses: 1e+37,
  guesses_log10: 37,
  sequence: [
    {
      pattern: 'bruteforce',
      token: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr',
      i: 0,
      j: 36,
      guesses: 1e+37,
      guesses_log10: 37
    }
  ],
  calc_time: 7,
  crack_times_seconds: {
    online_throttling_100_per_hour: 3.6e+38,
    online_no_throttling_10_per_second: 9.999999999999999e+35,
    offline_slow_hashing_1e4_per_second: 1e+33,
    offline_fast_hashing_1e10_per_second: 1e+27
  },
  crack_times_display: {
    online_throttling_100_per_hour: 'centuries',
    online_no_throttling_10_per_second: 'centuries',
    offline_slow_hashing_1e4_per_second: 'centuries',
    offline_fast_hashing_1e10_per_second: 'centuries'
  },
  score: 4,
  feedback: { warning: '', suggestions: [] }
}

@andreasbrett commented on GitHub (Nov 1, 2021): > There really shouldn't be any excuse for a weak password just because it's easier to type. Exactly. If it really needs to be easy to type just use a [passphrase](https://xkcd.com/936/) rather than a password. > I'm a fan of password strength based on entropy. [This library](https://www.npmjs.com/package/tai-password-strength), while doesn't seem very popular, seem to be pretty comprehensive in combining different tests. I'm not a fan of entropy-based password strength determination. It's proven that some weak passwords have high entropy. One great alternative library is [zxcvbn](https://www.npmjs.com/package/zxcvbn) that will - just like tai - provide quite a few details on the domain of password weakness ("phrase contained in US movie database", l33t variations, top100 password etc) but is not based on entropy but rather has been developed differently. Some more details: - blog post: https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation - talk at USENIX Security 2016: https://www.youtube.com/watch?v=vf37jh3dV2I It's easy to use and gives a lot of metrics to determine what you want to have. For UK I could think of simply using the "unthrottled online attack" metric (maybe a slider in the settings to set "how many days should cracking this password take at minimum". Or even simpler - setting minimum score (though this scales only from 0 to 4). So a password `abc123` would be cracked within 1.4 seconds: ``` { password: 'abc123', guesses: 14, guesses_log10: 1.1461280356782377, sequence: [ { pattern: 'dictionary', i: 0, j: 5, token: 'abc123', matched_word: 'abc123', rank: 13, dictionary_name: 'passwords', reversed: false, l33t: false, base_guesses: 13, uppercase_variations: 1, l33t_variations: 1, guesses: 13, guesses_log10: 1.1139433523068367 } ], calc_time: 4, crack_times_seconds: { online_throttling_100_per_hour: 504, online_no_throttling_10_per_second: 1.4, offline_slow_hashing_1e4_per_second: 0.0014, offline_fast_hashing_1e10_per_second: 1.4e-9 }, crack_times_display: { online_throttling_100_per_hour: '8 minutes', online_no_throttling_10_per_second: '1 second', offline_slow_hashing_1e4_per_second: 'less than a second', offline_fast_hashing_1e10_per_second: 'less than a second' }, score: 0, feedback: { warning: 'This is a top-100 common password', suggestions: [ 'Add another word or two. Uncommon words are better.' ] } } ``` While passphrase `JohnnyCactusRainbow` would take 133559128 seconds = 4 years to crack: ``` { password: 'JohnnyCactusRainbow', guesses: 1335591280, guesses_log10: 9.125673574907456, sequence: [ { pattern: 'dictionary', i: 0, j: 5, token: 'Johnny', matched_word: 'johnny', rank: 95, dictionary_name: 'male_names', reversed: false, l33t: false, base_guesses: 95, uppercase_variations: 2, l33t_variations: 1, guesses: 190, guesses_log10: 2.278753600952829 }, { pattern: 'dictionary', i: 6, j: 11, token: 'Cactus', matched_word: 'cactus', rank: 1173, dictionary_name: 'passwords', reversed: false, l33t: false, base_guesses: 1173, uppercase_variations: 2, l33t_variations: 1, guesses: 2346, guesses_log10: 3.37032800777951 }, { pattern: 'dictionary', i: 12, j: 18, token: 'Rainbow', matched_word: 'rainbow', rank: 231, dictionary_name: 'passwords', reversed: false, l33t: false, base_guesses: 231, uppercase_variations: 2, l33t_variations: 1, guesses: 462, guesses_log10: 2.6646419755561253 } ], calc_time: 5, crack_times_seconds: { online_throttling_100_per_hour: 48081286080, online_no_throttling_10_per_second: 133559128, offline_slow_hashing_1e4_per_second: 133559.128, offline_fast_hashing_1e10_per_second: 0.133559128 }, crack_times_display: { online_throttling_100_per_hour: 'centuries', online_no_throttling_10_per_second: '4 years', offline_slow_hashing_1e4_per_second: '2 days', offline_fast_hashing_1e10_per_second: 'less than a second' }, score: 3, feedback: { warning: '', suggestions: [] } } ``` The above mentioned `lskdfjlkshlgklhakjfhklsjfjksljlsafsdr` would take centuries to crack (and just because it's all lowercase doesn't mean it's weak - it is very long and random and therefore quite secure): ``` { password: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr', guesses: 1e+37, guesses_log10: 37, sequence: [ { pattern: 'bruteforce', token: 'lskdfjlkshlgklhakjfhklsjfjksljlsafsdr', i: 0, j: 36, guesses: 1e+37, guesses_log10: 37 } ], calc_time: 7, crack_times_seconds: { online_throttling_100_per_hour: 3.6e+38, online_no_throttling_10_per_second: 9.999999999999999e+35, offline_slow_hashing_1e4_per_second: 1e+33, offline_fast_hashing_1e10_per_second: 1e+27 }, crack_times_display: { online_throttling_100_per_hour: 'centuries', online_no_throttling_10_per_second: 'centuries', offline_slow_hashing_1e4_per_second: 'centuries', offline_fast_hashing_1e10_per_second: 'centuries' }, score: 4, feedback: { warning: '', suggestions: [] } } ```

deekerman commented

2026-02-28 01:48:56 -05:00

Author

Owner

@louislam commented on GitHub (Nov 1, 2021):

Forget my request - I just disable auth.

No problem, I close this issue since I believe that weak password would not be accepted again.

@louislam commented on GitHub (Nov 1, 2021): > Forget my request - I just disable auth. No problem, I close this issue since I believe that weak password would not be accepted again.

deekerman referenced this issue

2026-02-28 01:51:07 -05:00

Webhook on UP/DOWN events #575

deekerman referenced this issue

2026-02-28 01:59:05 -05:00

Filter which event (UP/DOWN/CERT-EXPIRY/...) triggers alerts #784

deekerman referenced this issue

2026-02-28 02:16:45 -05:00

Pushover different sound for up/down #1298

deekerman referenced this issue

2026-02-28 03:11:09 -05:00

Notification Webhook different on up and down cases #2901