undefined | Better HN

0 pointspdpi12y ago0 comments

There was a discussion here a while back on this matter, where I held very much the same position as you. The other guy convincingly proved that adding the "must use at least one each of these character classes" barely reduces the password space, while promoting increased password complexity for those people who would pick the _really_ easy ones.

0 comments

3 comments · 2 top-level

scrollaway12y ago· 1 in thread

What if I want my password to be "one small step for man one giant leap for mankind" (or something less known)? Do I really have to put a dollar in that to make it secure?

Teach good password hygiene. Use keepassx. Use decentralized third party authentication with providers that know what they are doing and use 2FA and such!

But password restrictions achieve very little. Let people use their 12345 if they really want, they won't learn by watching the stove but by touching it. Some people are like that and we should educate, not babysit.

graylights12y ago

Well the other part of weak passwords is for many websites the users care less about account security then the website operator.

There are many sites which contain none of my personal info but I have to setup an account just to view website content. If my account gets hijacked, it might be used for spamming. But still If I could make a throwaway account with a blank password I would because I don't care about that accounts security. So surely some restrictions need to be in place if you're going to require signups.

pbhjpbhj12y ago

Perhaps it's better to suggest using at least one capital, one number and one symbol. You can warn a user that their password doesn't use those and remind them to make it long and not a mere short colocation of dictionary words but ultimately - unless it's risking other's security - you can let them set any password they like?

j / k navigate · click thread line to collapse