Hacker News new | ask | show | jobs
by HappyTypist 3448 days ago
Is it really impossible for a human to follow?

"Shiny C0rrect H0rse Battery Staple!"
4 comments
LordKano 3448 days ago
That's a good long term solution but when policies force you to change your password every 45 days, it falls apart.

In my experience, overly restrictive password policies force users to choose passwords that are less secure and easier to remember.

link
Spooky23 3448 days ago
The good news is that the practice is going away NIST revised it's guidance/recommendation for password cycling.
link
mundo 3448 days ago
You can tell a company has this policy when every monitor has a sticky note on it with the numbers 1 to N on it, where 1 to N-1 are crossed out.
link
COil 3448 days ago
Yes indeed. For example they add the current year and month and keep the same "base password" which is unsafe.
link
e12e 3448 days ago
"Password2017" is a typical "secure" password. Capital and small letters, and number - longer than 8 characters. Passes most "checks" for passwords...
link
koolba 3448 days ago
"Password2017!" is even better. It's got a special character!
link
falcolas 3448 days ago
My favorite "pattern for stupid passphrase requirements" is "1qaz@WSX" - then just move a row to the right with every password change. :)
link
quickben 3447 days ago
Funny how most people go for ! as the default special character :)
link
koolba 3447 days ago
It adds to the excitement of logging into an application. Instead of "login", you get to "login!".
link
LordKano 3447 days ago
I think it's a natural outgrowth of how so many people chose "1" when they were forced to add a number to their passwords.
link
eriknstr 3448 days ago
Embedding special characters only makes it harder to remember correctly yet has little benefit. Your example is the same used in the xkcd where they explain this (except you've added an additional word at the beginning) so you've probably seen it already but I'll link it anyways. https://xkcd.com/936/
link
jesseb 3448 days ago
At work I constantly deal with people who can't remember passwords as short as 8 characters, you have to remember we're not representative of the average person.
link
keymone 3448 days ago
you should ask them what they prefer - remembering 8 random characters or 4 random words
link
sib 3448 days ago
For one specific site, no. But if you have 100-200 different passwords to remember, it's impossible for most people.
link