Hacker News new | ask | show | jobs
by sunchild 5231 days ago
A. They don't need to remember any password. They're creating it for the first time.

B. Minimum password length/complexity. It's not hard to do.

I can't believe you're actually arguing that creating a new password is less secure than using an auto-generated password that was sent via email. I hope you are just confused...
2 comments
tomjen3 5231 days ago
Hell yeah it is less secure. password, letmein, 123456, j@nuary1

All bad passwords. All will be chosen by your users at some point. The last satisfies any complexity requirements I have ever run against in the wild.

There is nothing insecure about sending a plain-text password that compares to a badly chosen password -- email isn't that easy to intercept and properly nobody is hacking your users physical (or wireless) network. At least not compared to the number of people who will be attempting to crack their online password.

link
sunchild 5231 days ago
"email isn't that easy to intercept and properly nobody is hacking your users physical (or wireless) network".

If you actually believe this, then we will never be in agreement.

link
DanBC 5231 days ago
For most of your users creating a new password will be much less secure than giving them a password.

> B. Minimum password length/complexity. It's not hard to do.

It is hard to do. That's why so many people reuse passwords, or have hopelessly weak passwords. (Some word with a few vowels swapped for digits, or some word with two digits tacked on the end.)

I agree that sending passwords over email is sub-optimal, but the solution is not to surprise users with a password creation screen.

link
sunchild 5231 days ago
Are you taking the position that only auto-generated passwords can be secure? I'm trying to understand what conclusion to draw from your comment.

My point was that imposing length validations on passwords is not hard. Complexity validation, while more difficult, is also not exactly a novel problem.

I feel like I'm in bizarro-world with all these people telling me that sending a plaintext password via email is more secure than giving users the option to follow an authenticated link to create their own password because...users can't be trusted to choose good passwords?! Really?

link
DanBC 5231 days ago
What are the risks for each situation?

Users are hopeless at creating secure passwords. They are especially hopeless at creating secure passwords if you suddenly present them with a password creation screen.

Adding complexity generation does not help. If anything, it makes things worse. People use stupid weak passwords, often re-using them across different websites. They'll do simple substitutions of digits for vowels, or they'll use one word with a couple of digits stuck on the end.

Complexity validation gives a false sense of security.

link