Hacker News new | ask | show | jobs
by nsfyn55 2467 days ago
They do matter but not for the reason you'd first think. It's about liability. Imagine a bank testifying in a hearing about a recent data breach. They are going to want to give the perception that they have done everything within reason to protect their user's data. Password restrictions are a cheap feather in one's due diligence cap.
1 comments
zAy0LfpBZLC8mAC 2466 days ago
So ... how exactly is "your honor, we didn't allow passwords longer than 5 chars" going to help them, you reckon?
link
nsfyn55 2466 days ago
Easy. Civil law operates on a concept called "preponderance". It's not absolute in nature it's a measure of likliehood as measured by non subject matter experts(a judge and some randos). Imagine a person has fallen on your property and injured themselves. If you are known in the neighborhood as a person that takes care of your sidewalk(shovels, patches broken concrete, etc.) and can produce evidence(character witnesses, testimonials, visuals) to that effect your case is strengthened.

No one ever got directly hacked because their password was too strong, but lots of people have had passwords guessed by brute force.

So put the two together. Its beneficial to have strong passwords because they can be presented as evidence of due diligence and there is no security risk to enforcing them. There may be some business risk(people fleeing because they don't like your password policy) but someone needs to quantify that its a problem for it to be considered in the calculus.

link
zAy0LfpBZLC8mAC 2465 days ago
That is a lot of text for not addressing my point at all!?
link
nsfyn55 2465 days ago
You asked how it would help and I explained exactly how it would help. I directly addressed your point.

Your content free, one sentence response not withstanding. Is there something specific you'd like clarification about?

link
zAy0LfpBZLC8mAC 2464 days ago
How exactly you think preventing your customers from using secure passwords is going to demonstrate due diligence?
link
nsfyn55 2462 days ago
Look at that sally, a false equivocation right out of the gate. I'll just change your text so that it represents what I actually said ....

>How exactly does taking steps that have previously been used in civil suits to demonstrate due diligence such enforcing password requirements going to demonstrate due diligence?

Well I'm glad you asked billy! The answer is tautology. Thanks for playing.

This argument is stupid. You want to talk about yak shaving, theoretical nonsense. FWIW I agree with you and think that password requirements are dumb, but you live in the real world. These are the legal realities of IT policy.

link