Hacker News new | ask | show | jobs
by lnanek 5131 days ago
Put me in as a nut job then. I've seen plenty of users who make no distinction whatsoever re case of characters in passwords. One day their password is working, the next day it isn't, and the organization ends up spending the custom care money to deal with it just because they started typing "af" at the end of their password instead of "Af" or whatever.

If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.
1 comments
TillE 5131 days ago
Condescension about idiot users is never a very persuasive way to make a point.

> we live in a world where 80% of end users can't turn their wifi radio on and off on their phone

But they still manage to properly enter their case-sensitive password to buy new apps.

link
Jare 5131 days ago
> But they still manage to properly enter their case-sensitive password to buy new apps.

Because they never use uppercase in their case-sensitive passwords.

link
nsmartt 5131 days ago
This attitude makes me very angry.

Even if 80% of users don't use capitals in their passwords, the 20% who want that added security don't get it. Even if you believe this made-up statistic due to your condescending attitude towards "normal" users, the password should be case sensitive.

A (very stupid) alternative would be to notify the users that their password isn't case sensitive so that those who mind can use a more secure password.

The argument that "most" users won't be affected is absolutely negated by the fact that some are.

link
Jare 5131 days ago
Your anger is based on theory, not practice.

Blizzard takes a lot of steps to ensure your password can't be bruteforced. Even with the (imho unnecessary) limit of 16 chars on the password, you can have all the security you could need, and then some. On top of that, you can get two-factor auth for free in most cases. The "added security" that those people want is in practice not significant at all, and Blizzard had other priorities driving their choices.

If I had to make an auth system I'd probably still opt for case sensitivity, no length limits, and other such best crypto practices, simply because that's the path of least resistance. But my biggest security concerns would be elsewhere.

link
plorkyeran 5131 days ago
If you care about the security of your account at all, you should be using an authenticator, and even with a poor password proper two-factor authentication is far more secure than even the best password.
link
nsmartt 5131 days ago
"Average" users have been taught to use strong passwords for a long time now.
link