[hospitalJail]

>Mozilla’s Minimum Security Standards, like requiring strong passwords

What if I don't want a strong password? What if I have 0 care for my account because I never wanted an account to being with but was strong armed into giving away my email, phone number, and now need a unique password because I'm worried someone is going to see that I 'prayed' 100 times.

I loved that reddit didn't need an email, and I could use a generic password. If I lost my reddit account, no big deal at all. For my personal/PR reddit account, email and strong password, great.

[BoxFour]

There are substantial incentives for practically everyone to adopt strong passwords, including yourself, even if it's just a temporary account.

The platform actually desires you to possess a robust password, given that hijacked accounts contribute to spam so heavily.

Many people often use the same "basic passwords" on multiple websites. If one of your temporary accounts gets hijacked all your other "temporary" (in quotes because some of them might actually be important) accounts, including older ones you might have forgotten about, could be exposed.

Essentially, there are hardly any valid grounds for any platform to permit the utilization of frail passwords, especially considering how effortless it is to create distinct passwords using a password manager nowadays.

[SanderNL]

I think creating a strong password and offering it once is better or am I overlooking something?

[BoxFour]

If you suggest making one powerful password and using it everywhere, then as soon as one website reveals your password all your accounts have been exposed. The usual practice is to remember one strong phrase and never use it for anything except your password keeper.

[SanderNL]

I mean if the website in questions generates a password and shows it (and then lets it go of course). This is used to show cert private keys for example. I can see it work with passwords.

I don’t care about passwords. I just want a “key” and I’ll store it.

[BoxFour]

Seems reasonable.

[robertlagrant]

Offering it once? Offering what?

[SanderNL]

The password, at account creation. Here is your password: ……

I have seen it being used for cert keys.

[robertlagrant]

Oh I see - the system generates the user a password? Yeah; makes sense.

[mrweasel]

> Essentially, there are hardly any valid grounds for any platform to permit the utilization of frail passwords, especially considering how effortless it is to create distinct passwords using a password manager nowadays.

One was just given: Users don't really care to create an account to begin with, so they provide throwaway email accounts and low security passwords. If the apps required longer, safer passwords, then they risk losing signups.

If I get a message complaining about my password being to weak, from a service I might not care that much about, then there's an increased risk that I opt to not create an account.

Apple solution is actually pretty good, it allows me to quickly create an account to try out an app or service. If I don't like it, meeh, they only have the Apple login info and nothing else.

[BoxFour]

It's clear that platforms don't view it as a major obstacle to registrations. Or, at least, not a hassle that weighs significantly against the issue of unauthorized access to accounts and, to put it bluntly, articles of this nature that tarnish their reputation.

Considering the ongoing trend towards the use of robust passwords rather than their abandonment, we can infer that either the impact on meaningful engagement hasn't been substantial or the decrease in signups is deemed overwhelmingly worthwhile in order to combat spam and other unfavorable aspects.

So, I stand by what I said.

[3pt14159]

Why do I need a password at all for 99.99% of apps or websites?

If I lose a password, what do I almost always have to do?

1. Email account recovery link.

2. Input auth code sent from text message or authenticator app. [Optional.]

3. Make new random password I'm going to forget or lose.

Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?

1. Email sign-in link.

2. Input auth code. [Optional]

Everything other part of this whole chain gets simpler. No more password strength checking code. No multiple auth paths. No issues with anything. Just a single email with at most two links, one for browser sign in, one for app sign in.

If you really, really, really need to you can add one or two QR codes so these hypothetical people that don't have email on their phone can sign into the app.

[dolmen]

> Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?

Because you may not have access to your e-mail from the device where you want to use that service.

For example, I don't need to have access to my e-mails from my tablet as I'm always reading/writing them on a computer with a keyboard. So I don't want to setup access to my e-mails from my tablet, as it reduces the risks of a bad app leaking them or leaking my credentials.

[3pt14159]

I covered this in my comment with QR login codes.

Plus, if you really want to, you could also have a one-time use 6 digit code for login also sent in the email and it would be better for the majority of people that do not use a password manager.

Or if you really, really, really must have your passwords then please invert the default to where login via link is the primary mechanism and passwords are optional on a per-account basis.

[P_I_Staker]

I think they do this in Europe. I believe that there is still loss of some security. With email only you could loss all your accounts.

So, while I mostly agree overall, especially with respect to silly little things that aren't likely to hurt anyone, I do think there's a compelling case for password and 2factor.

As it stands, you have to know something and have something. Making it so you only need to have something is better than making it so they only know something.

However, that second factor seems like a good idea; though I will admit that it's probably unlikely that a thief would have the motivation to crack your phone to get your email; is this even easily achievable?

[yreg]

I don't understand what they mean by strong passwords.

From the methodology:

> If the product uses passwords or other means of security for remote authentication, it must require that strong passwords are used, including having password strength requirements.

What are 'strength requirements'? Is minimum-length-of-X a strength requirement? Apparently not, since Abide failed for the following:

> Strong password: No. Allowed us to register with '11111111'. They require 8 characters minimum, but do not check if a password is strong.

----

I don't believe in the meme of l337speak pa55W0rd$. I think sufficiently long pass phrases are fine.

[cnity]

Passwords tend not to be brute forced one character at a time, but by combinations of common password lists and rainbow tables. The base unit is not character in these cases but entries in the tables.

Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.

Edit: I actually mean dictionary attack, not rainbow tables, but my point still stands.

Edit 2: In fact, the password from the example ("11111111") appears in the 71st line of this password dictionary: https://raw.githubusercontent.com/duyet/bruteforce-database/...

[yreg]

> Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.

And "awn-handsome-dolce-esophagi-radix-lawgiver" is more secure than "Hunter2"…

My point is that their methodology doesn't cover what do they mean by strong passwords. A sufficiently long (and sufficiently random - but how do you check for that?) pass phrase is strong in my view.

[thfuran]

'Sufficiently long' is doing a lot of work though. 1$a}F is a five symbol password and so is ASufficientlyLongPassPhrase. Unless an attacker has some specific knowledge about how the passwords were generated, the latter is significantly more secure since the dictionary size for the symbols (English words, though none especially uncommon so top 5k or so should suffice) is significantly larger than that of the former (standard keyboard characters). But it's not nearly as secure as a password in the style of the former with the same number of characters as that passphrase.

[asynchronous]

8 characters isn’t exactly long but I agree overall length is the main way to make a password stronger. Cue the xkcd comic.

[barrysteve]

Passwords are not about hiding data.

Passwords are legally the only thing that can't be forced out of you, to make you login into a computer system against your interests.

Passwords are the core foundation of keeping your internet life separate from your personal/private life. Biometric and hardware authentication make both your real life name/address/life history and your computer ID the same thing.

I didn't sign up for American globalism, and I don't want my iPhone's authentication systems to force me into being accountable to Twitter/Apple/Google credit score. If the Australian government forced this stuff on me and kept it within Australia, that's different.

IBM is moving to a "passwordless trend" on their server authentication, in favour of biometrics and iPhone auth. I bet my bottom dollar that will get spread everywhere in the universe, regardless of our protestations.

It's not agreeable. inb4 people say "it's always been that way/they could always do that". The last shred of internet-identity liberty is going to be dead in a new york minute.

Your religious identity, and your prayer life is going to get owned if you let go of passwords and ambigious identities.

[denton-scratch]

> Passwords are legally the only thing that can't be forced out of you, to make you login into a computer system against your interests.

Not in the UK, since RIPA.

https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...

It's been used:

http://news.bbc.co.uk/1/hi/technology/7102180.stm

[barrysteve]

Guess my comment is surplus-to-requirements. Waves of 'sadge' aside..

Non-conformists are necessary to keep society progressing. The computing revolution is becoming oppressive. I guess the future rests with Men who have the willpower to keep valuable ideas out of the system long enough to for them to bear fruit.

Isaac Newton studied in private for 15yrs.. He also privately denied the Trinity and refused to take Holy Orders from the CofE. It's very questionable if that is at all possible to do again under constant 'supervision', when a fundamental difference between authority and truth happens again.

[denton-scratch]

> and refused to take Holy Orders from the CofE.

Did the CofE try to compel him to take Holy Orders?

As far as I'm aware, Holy Orders in the CofE amounts to becoming a priest (since the CofE has no monks or friars). I thought you had to ask for that, and then prove your worthiness.

Is there some order in the CofE that the church can ask you to join, when you don't want to?

[Edit] He was a Rosicrucian; I'm not really sure what that means in theological terms, but I'm pretty sure it doesn't align with any conventional doxy.

[barrysteve]

He lived in a very orthodox time in the UK. The country has previously had a state religion (1200s) and kicked out the Jews at the time. The Brits have previously severely restriced public services for all non-conformists after the Act Of Uniformity 1851. The Brits have murdered/killed/marytyred many people from European religions. Denying the Trinity is enough to invite severe negative judgement from the Archbishop of Cantebury. We live in Trinitarian times.

The Brits is a CofE country, even though it's 'going dark' (well less visible and more authoritarian) in our lifetimes and GAFCON will temporarily take the limelight.

It is trivial to silence people technologically today and with biometrics denying services is also trivial.

If a discovery like Calculus comes from people who wish to study and speak of non-orthodox ideas, then we should be careful about our technological lock downs. Social media manipulation of thinking is already a big danger to true innovative thought.

[denton-scratch]

Yes, I get it, he was a non-conformist. But in what sense did the CofE try to compel him to take Holy Orders?

> even though it's 'going dark'

Not sure what you mean. The CofE is a very different organisation from what it was 60 years ago, when I first rejected religion. I like the modern organisation a lot less than the one I left; it's become heavier, more intolerant of human diversity, with a much narrower range of views. Maybe that's what you meant.

[gjsman-1000]

One very, very basic measurement / thought experiment for holiness in Christian circles to think about is the following:

Imagine Christianity is illegal. Imagine the government decides to prosecute you, but hires the weakest, most incompetent, repeatedly-almost-disbarred prosecutor there is. You meanwhile get access to David Boies. Would the government have enough evidence for even the worst prosecutor to prove you are a Christian?

Well, if not… it’s like Mozilla doesn’t realize that religious people don’t mind prayer being a fairly public act as long as people against them aren’t preying on them. Catholics have Mass every Sunday; Muslims have their five-times-daily prayers and often wear clothing that clearly identifies them as such; and so forth.

[lo_zamoyski]

Prayer can be both public and private. It's more than just the danger of being exposed as a Christian to a regime that is hostile to it and persecuting Christians. The seal of confession is an obvious good example of why privacy is important. Everyone standing in line to the confessional knows you're Catholic and that you're going to confession. They don't know what you're confessing to.

Obviously, you shouldn't be storing confessions in an app, but the principle is that privacy goes beyond the danger of persecution.

[hospitalJail]

Your thought problem isnt productive because it creates a fake scenario that creates validity to an otherwise invalid problem.

Okay, if Christianity is illegal you'd want your Christian apps to be secure.

If Christianity isnt illegal, you don't care.

You'd want privacy if you were using the silk road, but you are probably okay with your alarm clock app collecting the number of times you hit snooze. You'd also be okay if the US/Chinese government knew that you hit snooze.

[villagevanguard]

The person you're replying to is using the hypothetical to illustrate why religious people don't care if prayer app data is made public. He is not trying to tease out the hypothetical any further than that.

[bee_rider]

The list is about privacy and security. If you don’t think your prayers are private or need security, then don’t worry about the list I guess.

[mehlmao]

The information stored in therapy or prayer apps is much more sensitive than a disposable Reddit account.

[shlubbert]

You know, it's not a requirement to be contrarian about everything. Encouraging people to use stronger passwords (and password managers to handle them) is pretty much universally a good thing.