I like this section of the podcast (paraphrased):
“Teamviewer’s saying compromised credentials is the users problem, not Teamviewer’s. But it’s not: blaming users is tarnishing Teamviewer’s reputation.”
Taking this sentiment and applying to the safe network… Let’s not have ‘users choosing weak credentials’ reflect poorly (and incorrectly) on the underlying strength of the safe network. Safe can’t blame users. It can only help them make better decisions to start with.
I’m not fussed what scheme is used in the UI to derive the secret, but the user should be told how strong their underlying secret is. The underlying secret is only as strong as the credentials used to derive it.
As @Tim87 says about zxcvbn for password strength, let’s not necessarily restrict users, but make sure they understand the strength or weakness of their choice.
It may good to display a real metric to describe strength like ‘Your passphrase would take about 3 years to crack’*. This at least provides a tangible incentive to the user, rather than an arbitrary sliding scale of ‘weak’ to ‘very strong’.
* even though there’s some uncertainty about the ‘true’ amount of time due to the uncertain progress of future tech developments etc.