Hacker News new | past | comments | ask | show | jobs | submit login

If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.



One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.

They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.

Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.


> I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

Sounds like they were logging/storing passwords in plaintext.


Or offline cracking passwords using a wordlist.


Isn't it nice that hackers give up as soon as they realize they can't paste the password in?

And password managers (keepassxc anyways) have a pretty nifty auto-type feature that gets around that anyways.


Have you heard of the Cobra Effect?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: