| ▲ | Leomuck 11 hours ago | |||||||||||||||||||||||||
Fair! I did think about this a lot. Initially, I also thought "8 characters of any kind" are fair enough. Then read a lot and decided a bit more security would be good. But honestly, given what you wrote, I did find myself happy that I had an account before this security measurement. So I guess, I'm of your opinion. However, the app does not enforce lowercase/uppercase. It uses Laravels uncompromised() function which I think makes sense. It checks against https://haveibeenpwned.com/Passwords. I'm happy to discuss length! But I think the uncompromised makes sense. But happy to hear any arguments! If it makes it harder to register, that is still an argument and must be discussed against the argument of security. I'd love to hear other peoples thoughts here since security vs usability is always a complicated thing. | ||||||||||||||||||||||||||
| ▲ | linsomniac 10 hours ago | parent | next [-] | |||||||||||||||||||||||||
This opinion is worth what you paid for it: Don't make your password requirements less strict. Don't encourage people to use weak passwords that are likely shared across sites. That leads to pain and suffering over the long term. If you want to reduce friction for people who don't/won't use a password manager, provide a passwordless option like a login link that is e-mailed to them. Yes, people will likely complain about "your service is supposed to be my email, why are you requiring an e-mail to login", in which case they should be using a strong password. To the person requesting weak passwords: Just set up google or firefox password password manager, it will auto suggest a strong password on the registration page and save it for use across devices. There is zero reason to be using the same password across accounts, and a lot of reason not to. Attackers do actively try passwords you have used on other sites to try to compromise your accounts elsewhere. This happens when services leak passwords or password hashes. If your password is short and lowercase, it really doesn't matter if only your password hash has been leaked, it might as well have just been the password itself. This is the lowest-hanging fruit for attackers. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | turblety 10 hours ago | parent | prev [-] | |||||||||||||||||||||||||
There really are only two dials you can turn to increase the security of a password, and that's length of the character set (the characters that the user can use in their password) and length of the password itself. People should be using a password manager, then they can set that to 100/200 characters. Even if all lower case, it will be unbreakable (assuming a modern/secure one way hashing algorithm, and the password manager is truly random.). If they are not using a password manager and use something like `waterfall!X` (because you enforce a special character and capital letter) you haven't actually increased entropy by that much, compared to a longer password. Them making up a 100 character password will almost guarantee more entropy than a short password they make up like `waterfall!X` Also, because it's the internet [1]: | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||