Hacker News new | ask | show | jobs
by Pxtl 1418 days ago
I assume your starting password rules deliberately set the bar low to encourage PRs to improve it, since I can think of much more believable, infuriating, tedious ways to drag this out longer, keeping the user thinking they're always one step away from a valid password without being obviously silly.

Believable, stupid requirements I've seen in the wild in the bad early days of complexity requirements.

- your password contains a common word

- your password contains one or more repeating characters

- your password contains a forbidden character

- your password needs at least one additional uppercase letter

- your password needs at least one more distinct special character

- your password cannot end with a special character

- your password contains an escalating series of numbers

- your password is too short

- your password is too long
5 comments
thayne 1418 days ago
I've seen a real site where the minimum password length was more than the maximum password length. Of course, if you know that you'll stop wasting your time. But if the error is just "your password is too short" or "your password is too long" it might take several tries to figure out it's impossible to satisfy the requirement.
link
alpaca128 1418 days ago
Twitch complained that my password longer than 16 characters exceeded the 40 character limit.

But the worst I've seen was a registration form that truncates long passwords to the (hidden) maximum length of ~10 without telling you, so anyone choosing a safe password cannot login and won't know why.

link
GekkePrutser 1418 days ago
Vnc does this too with it's 8 characters. Stupid design decision.

Even more stupid though is their declaration that encryption is 'out of scope' and anyone wanting it should arrange it out of band (eg VPN or SSH forwarding). Seriously... :/

link
marcosdumay 1417 days ago
Well, given their track history, they are very correct on their recommendation to allow localhost connections only and tunnel any traffic through ssh. I mean, would you trust them to enforce the security of their server?

(It would be better if they only allowed pipeline connections and actually required that you run the data through ssh. But I bet they didn't notice people have all kinds of untrusted software running on localhost.)

link
GekkePrutser 1417 days ago
I agree with that recommendation (it's absolutely not advisable to expose it to the internet even if it were encrypted) but that's where defense in depth comes in.

It's not supposed to be the only level of security but using unencrypted protocols in this day and age for something as sensitive as server control is unforgivable.

For example tunneling through SSH does make it possible for other people to sniff the traffic on either side if they are on localhost. Port forwarding is not a very safe tech since it doesn't allow to limit which user uses the port.

link
marcosdumay 1417 days ago
I do respect people that say "I don't know how and don't want to learn how to solve this hard problem, so I'm letting it explicitly unsolved", as long as that "explicitly" is part is real.

And yeah, I would probably use vnc if the protocol was over a pipeline, like scp or rsync. As it is now, it's a program to avoid.

Defense in depth is only useful for vulnerabilities that you can't solve to a satisfactory level. You should be able to publish a high-quality access server on the internet without any loss of security.

link
ridgered4 1418 days ago
Paypal did the silent truncation to me at 20 characters once, what a nightmare. I can't even remember how I figured it out, probably some other poor soul left a breadcrumb for me.
link
Pxtl 1418 days ago
Especially when those messages are the last ones that appear after you've resolved every other issue.
link
RalfWausE 1418 days ago
Hah... this reminds me of the following (perhaps most interesting for people speaking german):

Bitte geben Sie ein sicheres Passwort ein.

Leberkas

Entschuldigung, Ihr Passwort ist zu kurz!

Leberkas-Semme

Entschuldigung, Ihr Passwort muss mindestens 1 Zahl enthalten.

1 Leberkas-Semme

Entschuldigung, Ihr Passwort darf keine Leerzeichen enthalten.

50drecksleberkassemmen

Entschuldigung, Ihr Passwort muss mindestens einen Umlaut enthalten.

50drecksleberkässemmelnzefix

Entschuldigung, Ihr Passwort muss mindestens 1 Grossbuchstaben enthalten.

50DRECKSleberkässemmelnZEFIX

Entschuldigung, Ihr Passwort muss mindestens 1 Sonderzeichen enthalten.

50DRECKSleberkässemmelnZERFIX!!!!!!!

Entschuldigung, Ihr Passwort darf nur Grossbuchstaben enthalten, die nicht aufeinanderfolgend sind.

KreizKruzeFixVerdammterScheissDrecklatzkannstMiGleiKreizWeisSonstWo WoslnDesFiaAScheissSystem50DrecksleberkässemmelnZeFix!!!!

Entschuldigung, dieses Passwort ist bereits in Verwendung. Bitte wählen Sie ein anderes.

link
lrem 1418 days ago
You got me at "Entschuldigung, dieses Passwort ist bereits in Verwendung." :D
link
WaxProlix 1418 days ago
You also need to only give the feedback on password quality after user has entered it twice; until then, "passwords do not match" is the only piece of info.
link
InCityDreams 1418 days ago
>stupid requirements I've seen in the wild in the bad early days of complexity requirements.

Early days? Every sodding week for me....

link
jaclaz 1418 days ago
Just in case:

Dumb Password Rules

Shaming sites with dumb password rules.

https://github.com/duffn/dumb-password-rules

link