undefined | Better HN

0 pointsLeomuck22d ago0 comments

Yes, I did read up a lot about password security the last few years. But still, I'm worried a very secure policy restricts people from registering at all, see case above. What would you say is a good compromise?

Another thought I have discussed a lot is, this app is not something critical. It's not online banking, it saves very little about you (as little as possible), etc. - so what does this say about the compromise? If an account was to be compromised, an attacker would only have access to the todos, music, notes of a user. Now, todos and notes could be very telling, but I'm unsure about how much of a responsiblity I have as an admin to save users from this? Do you know what I mean?

0 comments

turblety22d ago

Yeah I understand. I think my point is don’t add any other friction to the password strength other than length. If you want more security increase the min length, if you’re happy with less, lower it.

I’d personally have a 12 length password enforcement, a password strength meter and nothing else. Possibly less if you introduce 2fa.

LeomuckOP22d ago

Yea, that's what I gathered as well. So what do you think about checking against compromised passwords?

j / k navigate · click thread line to collapse

0 comments

turblety22d ago

I’d personally have a 12 length password enforcement, a password strength meter and nothing else. Possibly less if you introduce 2fa.

LeomuckOP22d ago

Yea, that's what I gathered as well. So what do you think about checking against compromised passwords?

j / k navigate · click thread line to collapse