Hacker News new | ask | show | jobs
by schaefer 1171 days ago
While trying to sign up, I was rejected with the error:

Your password must contain at least one symbol.

There are studies that show that that restriction decreases security, not increases it [1].

That’s all the friction I needed to not try this website which, from the outside looking in, seems like it might be amazing.

[1]: encouraging users to improve password security and memorability. (Yildirim, Mackie 2019)
2 comments
abeyer 1170 days ago
That's not _really_ what that study says... what they found was that "A password guideline including three sample password creation methods and a persuasive message and important notes for the experimental group" gave a small improvement over enforcing password restrictions. So it finds that training people to come up with good passwords immediately before they're asked to do so results in slightly better passwords. Notably, they did _not_ test what happens when you train users and also enforce restrictions, nor what happens when you don't train users and don't enforce restrictions.

But then also recognized "the participants in the experimental group spent time to read the information and applied the given methods to produce passwords, maybe just to help a research study by participating. However, in real life, users may not make an effort to read the information provided in the password guidelines unless they have to. Zakaria [64] suggested that one possible way to overcome this is to make reading and understanding the password guidelines compulsory before constructing a password." So even if we were to follow the findings here, the result would be to create _more_ friction, not less.

link
schaefer 1170 days ago
You’ve made some truly interesting counterpoints here. Thanks!

That having been said, friction is subjective. So we’ll have to agree to disagree about your last point.

link
abeyer 1170 days ago
Fair enough, personally I certainly would find being forced to read through "how to choose a password" every time I needed to create one worse than just having some restrictions... but I also put _everything_ in a password manager w/ long random passwords, so seldom run afoul of the common restrictions either.
link
collin1 1170 days ago
Hey! I have fixed this issue now! If you have any other points of feedback, please let me know :)
link
schaefer 1160 days ago
That's amazing! Thank you. I'll check it out!
link