undefined | Better HN

0 pointseridius11y ago0 comments

The security of this is a joke because this isn't a security move. It's not designed to make the users secure after the Heartbleed vulnerability. It's purely designed to make logging in annoying for the users, so they finally change the password they should have changed a while ago.

Seems a heck of a lot better than force-expiring passwords like I'd expect any other company to do.

0 comments

1 comments · 1 top-level

jtheory11y ago

Exactly; I like it, personally.

Blocking login until they've changed their password is too harsh, and it's counter-productive.

A college student who needs to choose a new password now but is under time pressure is definitely not going to take recommended steps like "go install a password manager that'll generate a secure random password for you." They may not even have a piece of paper on hand right now, so they will choose a password that they can remember.

Like -- their previous password, but "2" instead of "1" at the end....

Whereas if you just give them a nudge like this, they will bear the annoyance of typing it twice if they're in a rush, then when time permits they can choose a decent replacement.

j / k navigate · click thread line to collapse