Hacker News new | ask | show | jobs
by ziddoap 896 days ago
>at least in writing, since I can't imagine how it could be actually enforced

You can check passwords against known-compromised lists and then tell the user "sorry, please use a different password". This is something that is a recommended best practice, and has been for at least a few years.

>Or at the least enforce an aggressive password change schedule

This has been explicitly not recommended since at least 2016 by NIST. Research has shown this leads to password fatigue, which results in weaker passwords that are just iterated on (password1 -> password2 -> password3).
1 comments
programjames 896 days ago
Or, users can check their passwords against known-compromised lists. It's not on them to hold users' hands and check for their mistakes.
link
Beldin 896 days ago
Let's not fall for 23andMe's attempts at victim blaming. They offered the service, and they failed to implement to reasonable security practices. Their process allowed users to pick "obviously" flawed passwords. Well, those passwords weren't obviously flawed enough to bar their use, but obvious enough to blame users afterwards.... yeah that's BS.
link
ziddoap 896 days ago
Yes, users can (and should) be doing that as well.
link