Hacker News new | ask | show | jobs
by mmahemoff 4668 days ago
Another issue with this is it breaks password managers, including the built-in browser password storage. While you might say that's a Good Thing for security, it's not something you could easily pull off as a startup.

Due to lock-in effects, people have to deal with all manner of usability hell from their bank, but the same logic doesn't apply to startups. Not that your idea is usability hell, but you probably don't want to make it any harder than it needs to be.

I think adding a few characters to the minimum password would be equally secure and more consistent with tooling, as well as a more familiar model for users.

Also, 2FA might be easier than you think using a service like Twilio. Or another way to do it would be to let the user connect via a service that does support 2FA (e.g. Google or Twitter;and maybe adding your own password if you want to harden that).
2 comments
StavrosK 4668 days ago
I recently added 2FA (OATH/Google Authenticator) support to Persowna[1], and it only took about two hours, 1:55 of which was spent on the UI. It's really not very hard.

[1] https://www.persowna.net/

link
MarkMc 4668 days ago
> I think adding a few characters to the minimum password would be equally secure

Do you mean saying to the user, "your password must be at least 12 characters long"? That would just result in the user adding "12345" to the end of their standard password. Still seems much easier to crack than 4 random words.

> Also, 2FA might be easier than you think using a service like Twilio.

It might be easy for me to set up, but for my users (who are mostly non-technical) it is still relatively painful to install and set up a two-factor authentication app. I think most of my users would prefer the write-down-four-words option, even if it is a little less secure.

> you probably don't want to make it any harder than it needs to be

OK, so the question is, "does it need to be harder than the standard login form of username and password field?". Since my system deals with sensitive financial data, and given the problems with allowing users to pick their own password, I would say the answer is "Yes"

link