Hacker News new | ask | show | jobs
by jaguar1878 1589 days ago
How does this work with sites that have absurdly strict password requirements? i.e. 8-16 characters, 3+ letters (1+ of which is upper case), 2+ numbers, 1+ special characters (from their curated list only!) I've seen a few financial related sites have requirements like these, and with a typical password generator I can just click 'generate' until one pops out that meets the reqs, and save it.
1 comments
stepchowfun 1589 days ago
For those sites, I usually just add whatever characters are needed to satisfy the requirements to the generated password (e.g., 0). This is annoying, since I have to keep track of which sites required such amendments. Fortunately, the majority of websites I use don't have such annoying requirements. And if I ever forget which sites have "amended" passwords, it's easy to find out simply by attempting to log in and being denied entry (in other words, I can brute force my way in).

Despite this awkwardness, I think this approach is worth it. I only have to memorize one password, and yet I still have a different password for every website. And if the Chrome extension ever gets shut down (*), the algorithm is simple enough to recreate in 4 lines of Python:

    bits = (domain + '/' + universal_password).encode()
    for i in range(2 ** 16):
        bits = hashlib.sha256(bits).digest()
    generated_password = base64.b64encode(bits).decode()[:16]
(*) I am the author of that Chrome extension, so I personally am not worried about it being shut down. But it is perfectly valid for other people to have that concern, of course.
link
kazinator 1589 days ago
Were the problems with just unconditionally adding small string of all such characters to every password, whether the site needs it or not?

   generated_password = base64.b64encode(bits).decode()[:16] + '0@#Zz'
link
stepchowfun 1589 days ago
It's a good idea that I've considered. However, I didn't anticipate the need for this when I originally designed Hashpass in 2014, and adding it now would be a breaking change.

I'm still considering it, but there would need to be a very slow, very careful rollout plan. Probably some transition period where users can opt into the new scheme, then eventually make the new scheme the default but still support the old scheme, and finally remove the old scheme to make things simple again.

Since this is a Chrome extension which collects no information from users, I have no way of contacting users about this. So I would need to wait long enough that users discover it themselves in the UI. All told, I'd guess it would take about a year for the full migration.

Anyone is welcome to discuss things like this with me via GitHub issues: https://github.com/stepchowfun/hashpass

link
kazinator 1589 days ago
> opt into the new scheme

Checkbox:

  Append common required chars [ ]: @Zz1
The roll out is that this is unchecked by default initially with a warning that the default will be checked. Then eventually it defaults to checked.
link
stepchowfun 1589 days ago
Yes, a checkbox is one way to allow users engage with this feature. There are other changes I'm considering as well (e.g., increasing the length of the generated passwords, avoiding characters that look like other characters such as 0 and O, etc.). You have the right idea, but the new experience needs to be designed holistically.
link