Hacker News new | ask | show | jobs
by rdl 5123 days ago
This is horrible advice given the threat model for either normal home users (at risk due to mass attacks/brute force, or MAYBE losing a wallet/unlocked phone/laptop with keys saved locally) or most corporate environments.

The solution in both cases is a move toward single sign on, using a password manager or a key or 2fa or federated login system (Kerberos, FB connect).

Enforcing minimum complexity requirements (and policies like no username as password, etc) protects the user and site. If a site has 10% of users with trivial passwords, even if it is just a commenting section on a blog, the site itself is at risk. Combine this with the propensity of users to globally reuse passwords, and everyone is kind of doomed. Passwords must die, but requiring a minimum level of passwords, and encouraging people to use passwords as safely as possible as an interim measure, is the only reasonable course of action.
1 comments
gte910h 5123 days ago
Then measure actual entropy. Don't make me make a password that fits some weird ass hard to remember standard you dug up. Let me use "This rabbit killed the horse in cold blood, then drank all the pies" as a password if I want, it has more entropy than C@tV0m!t does.
link
rdl 5123 days ago
The problem is it's hard to measure actual entropy. You can make a reasonable approximation (vs. a dictionary, and looking at the total character set) -- then, if you can, display the strength in some graphical way (ideally with a list of suggested rules which get checkmarked as the passphrase satisfies them). Still. "one TWO 3 +our" has less entropy than this would suggest.

I generally set an absolute minimum of 6-8 characters, not equal to username, site name, or a set of common passwords (including "password"). Sometimes require one (or two or three) of uppercase, number, or symbol for short passwords (i.e. stop requiring it if it is longer than 12 characters).

However, when a standard (or company policy) requires something like DIACAP, I'll enforce it in the pw creator. The absolute worst thing is when policy changes, and an allowed password becomes disallowed -- if it just expires and needs to be changed, that's one thing, but I've had sites where my long, special-case-laden passphrase worked in some login routines but didn't work in things like the password update routine (!!!).

For anything internal, I consider passwords basically unacceptable as an authentication mechanism alone; there must be PK or some kind of two factor auth.

link