@ammario I'm working on this one currently. Based on your comments and what I checked in the code - I plan to :

• Remove the entropy validation in the backend (not explicit enough.)
• Add a condition both frontend and backend side to ensure the password is between 6 and 64 characters - does not matter the pattern.
• Validation will be done frontend side (so will be easier to iterate on for the users.) but I keep it also backend side just in case obviously.

We can add more rules if we want, but I feel like based on your description it will be enough.

Also, do we want to use this opportunity to change it overall in our password flows , or just for this specific one ?

If I understand it correctly you're removing all entropy checking? I think it's a nice feature on the frontend (when non-blocking) but don't feel strongly we should have it if inconvenient to implement.

Validation will be done frontend side (so will be easier to iterate on for the users.) but I keep it also backend side just in case obviously.
The backend implementation is important for CLI flows. Some of our users build new frontends around Coder too.

An idea is keeping all validation in the backend and implementing a "check" endpoint to avoid issues of behavioral mismatch between FE and BE. The FE can send inputted passwords to the BE with a debounce before the user hits submit.

Also, do we want to use this opportunity to change it overall in our password flows , or just for this specific one ?

And, I do believe we should have a consistent UX and code-paths for every place we accept new passwords.

@defelmnq Is there anything left here or can we resolve this issue now?

All good now, resolved with the PR merged for a first iteration.