
Ask HN: Why don't websites show password requirements at the login screen? - muzani
Whatever brute force hacker would already know all the password requirements.<p>But I might not remember them and the password I used for an especially stringent site. Why not just remind them of the requirements if someone got their password wrong on the first try?
======
jawns
Hi, I'm your product manager.

I'd like you to create a login page where a user can log in using their email
address and a password.

We want our users to be made to feel as if we take security seriously, so
let's use the following secure password requirements that I picked up from a
blog post:

* Password must be AT LEAST 6 characters (but no more than 12, because who's going to remember more than 12 characters?)

* There must be at least one number.

* There most be at least one uppercase and at least one lowercase letter.

* There should be at least one special character, but not just any special character, because we don't want things to get crazy. Only these five: &$+#%

Okay, can you code that up for me?

Wait, it'll take _how_ long?

Well, yes, I understand that you not only need to build in the validation
logic but also need to build little error messages to let the user know what
they've done wrong if their password doesn't meet all the requirements, plus
allow time for writing tests, getting UX's rubberstamp, etc.

But I kind of need this by tomorrow afternoon. Is there anything we can
consider out of scope?

~~~
rogual
My favourite are the ones where you're not allowed to use “the portion of your
email address before the @” in your password. My email address is r@foon.uk.
Fun times :D

~~~
gear54rus
Didn't you bring this on yourself?

I hate any requirements for passwords but why go for cornercase email?

~~~
gnu8
Now you’re blaming the user though. The user isn’t wrong for having a valid
email address.

~~~
gear54rus
There are degrees of valid. There is RFC valid and then there is 'common
sense' valid (there are degrees of common too). Forcing yourself into barely
common valid but RFC valid is user's fault.

~~~
gnu8
Valid is a binary condition. Either an address is valid and you will be able
to send mail to it, or it is not. That is usually the sole reason for
validating an email address. If a bug in the validation logic causes an
unusual email address to invalidate then the code is definitely wrong, not the
user.

If the PM specifies a requirement to filter out email addresses with a single
character before the @ sign, then that's a different thing. Maybe there is a
business requirement to filter out people who own a domain and give themselves
a single character email address? In that case it should be explicitly written
into the validation logic and not done as a side effect of sloppy coding.

------
snowwolf
Because the ONLY requirement should really be > 8 (or more) characters. Any
other requirement will generally lead to users creating passwords with
predictable patterns.

[https://www.ncsc.gov.uk/guidance/password-guidance-
simplifyi...](https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-
your-approach)

"Traditionally, organisations impose rules on the length and complexity of
passwords. However, people then tend to use predictable strategies to generate
passwords, so the security benefit is marginal while the user burden is high."

Edit: Adding NIST guidelines too, which say the same
[https://nakedsecurity.sophos.com/2016/08/18/nists-new-
passwo...](https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-
rules-what-you-need-to-know/)

~~~
Asdfbla
I'm curious how far practical implementations of the NIST guidelines take the
advice to preempt dictionary attacks by not letting users choose known bad
choices. Of course the advice is perfectly reasonable, but when a user can't
choose 'password', they will probably try 'password1' \- not really much safer
against the usual password cracking software, do you check that too then? But
I guess the article mentions that dilemma too. I guess it's again a tradeoff
between not annoying the user and annoying the password cracker sufficiently.
:)

~~~
proaralyst
password1 and reasonable mutations of password are probably present in the top
10000 passwords.

If that's not the case in general, a good benchmark would be 'can hashcat
break this given a reasonable mutation pattern'. The zxcvbn project pretty
much provides that.

------
tombrossman
Tangential but here's another one: Why don't websites show the requirements at
the _signup_ screen?

I've lost count of all the sites where I sign up and paste a long, secure
password generated by my password manager. One of three things happens then.

1) The site admins are competent and my strong password is accepted.

2) The site admins are incompetent, and limit password length to a short
string, possibly with certain special characters required.

3) The site admins are incompetent and should immediately be fired, because
the form accepts my long, strong password, silently truncates it to a shorter
length and saves that, and my correctly typed password no longer works. I've
discovered this pattern repeatedly after comparing the 'forgot password' email
then send with the truncated password in clear text (which is another reason
they should be fired immediately) and noticing it is much shorter.

First-world problems, I know, but this annoys me and I would like to see it
fixed.

~~~
cannonedhamster
Number 2 and 3 are my most common ones. I've seen bank logins capped at 8
characters. Oh and getting a mortgage... don't even get me started on mortgage
company password security.

------
beokop
Another issue is that most password requirements change over time, without
requiring existing passwords to be changed. There’s no way to tell what the
requirements were the last time the user changed their password without
breaching confidentiality. Having a list of all previous requirement schemes
would be a mess.

~~~
ukd1
Actually, it's pretty simple - each time you login, check that the password
(now cleartext, as supplied by user) is valid AND meets the current
requirement. If it's valid and doesn't, push in to a change password flow with
the current requirements. If you're extra careful, you can expire older
passwords and require an email reset before use.

------
petecooper
I used to offer b2c technical support in my local area, I did it for about 5
years. It involved lots of in-person assistance provided to non-technical
folks on setting up Apple iCloud-enabled devices where the client was just too
spooked or unsure about the process and needed help.

I estimate I've helped 300+ people set up iPads and iPhones, and almost all
end up setting up iCloud. There are various steps to set up a new iCloud
account, including security questions from a drop-down list and setting a
suitably secure password.

This happened 95%+ of the time:

* iCloud prompts for (first time setup) password

* I look away, they type in a password and tap OK/Next

* I look back, iCloud responds that the password is not strong/secure enough

* I explain that Apple passwords needs to be of a certain strength, and include 1 or more capital letters, and 1 or more numbers.

* The client tries again: makes the first character (a letter) capital and tacks a `1` on the end.

~~~
JoeAltmaier
I tack a '0' on to the end. Ha! Secure!

------
beering
The first website I've noticed that does this is Expensify. See their login
page here, specifically the little light bulb by the password field:
[https://www.expensify.com/signin](https://www.expensify.com/signin)

Is it an intuitive, clean design? Not sure. Definitely didn't guess that the
light bulb meant, "show password requirements", but at least it's an attempt.

------
codegeek
I hate websites that enforce their stupid password requirements on me. Most of
them are stupid, did I say that already ? Well, you can ONLY use some special
characters not any. Even worse, you CANNOT use some special characters. Ok I
keep trying. My best one: paste is disabled. So I cannot copy and paste my
super strong password from my password manager because apparently the genius
who built it thinks that copy/paste is a bad idea. Did I mention that some
password pages have a maximum length rule ? really ?

End of rant. The best password pages are those who just warn you for things
like min. length (a 2 character password is definitely a bad idea).

------
darkerside
I think this is a great question and would love to hear a thoughtful,
measured, non-snarky response

~~~
rockostrich
The hypothetical of a manager asking for the feature by the next day is pretty
accurate. Besides that, it might be a product or design person that thinks the
requirements would clash with the current product/design and don't want to go
through another iteration.

A better answer to the problem is to not have password requirements because
it's the user's responsibility to choose a secure password. If their password
is compromised because it was their dog's name or "password1234" then it's
their fault.

A way to engineer against brute-force hacking is to limit the number of
attempted logins per username and IP. If they hit the limit then their account
should be locked or their password should be automatically be reset with an
email.

~~~
darkerside
> it's the user's responsibility

While I agree with you on some level, this is quite contrary to the spirit of
our times. Plenty of otherwise smart people have pretty dumb passwords. I'm
similarly ignorant of enough things that I don't judge them as simply
deserving what they get.

------
commenter1
None of the pages I host have any password requirements. Well, one, you have
to have a password. One char is enough. Some might wonder why would you do
that, but why would you force people to make complicated passwords if the site
in question doesn't have anything worthwhile to steal? Like one of my sites is
a tv guide, why would I want to force my users to use +8 character passwords?
Pure stupidity.

------
amelius
Reminds me of this joke:

[https://www.reddit.com/r/Jokes/comments/1v4bpa/passwords/](https://www.reddit.com/r/Jokes/comments/1v4bpa/passwords/)

------
username223
Password rules are dumb, but why do websites even require passwords when they
require an email address and offer a "forgot my password" link? The user
clicks the link, it sends a one-time login URL to the address, that login URL
sets a cookie, and there you go.

If your primary email account is hacked, you're pwned in all kinds of ways
that a password won't help, e.g. "forgot my password" requests. And if you
don't care about others using some junk website that requires logins, you can
give them a throwaway Mailinator account.

------
_pmf_
UX aside, the set of requirements in place when you created your account may
be different from the set of requirements that are in place at the time of
login.

------
peterwwillis
The site's devs & testers simply never even see the invalid password screen -
only automated scripts with test credentials ever interact with it. They have
a completely different experience, and that affects how the site is built.

At the end of the day, making life easier for users is not a priority unless
it affects the bottom line.

------
lotyrin
It's visually unclean, and of dubious security use, because nobody should be
trying to remember all their passwords, or using a memorable scheme that is
adapted based on requirements, just big random string that meets requirements
and is managed somehow.

~~~
gpm
> nobody should be trying to remember all their passwords, or using a
> memorable scheme that is adapted based on requirements

I strongly disagree with this. Using a password store guarantees that it is
technically possible for someone to recover a complete list of my passwords
without me being aware. And means I am either storing my passwords online
someone which makes it far easier for that technical breach to happen, or I am
relying on a piece of hardware not failing to maintain access to my account.

Remembering a unique password for each site (that I actually care about, I can
write down passwords for sites that I don't) is simply more secure. Sure the
passwords will be easier to reverse if you get a hash of them then a real
random string, but it would still be extremely difficult/beyond most cracking
software (it's easy to increase reversing difficulty by using a long hard-to-
reverse suffix shared between all your passwords), and you'd have to steal and
reverse a lot of hashes to find useful patterns.

~~~
lotyrin
My credential management tool has ~300 credentials in it, of which I use
roughly 10% frequently, there is no way for me to remember these, without
creating a scheme which someone could eventually reverse given enough of my
leaked credentials (so far about 15% of services I use have had breaches using
weak hashes, and these tend to end up in public). Such a scheme would also
have to support password rotation (for services which are breached, or which
expire credentials) If I am going to store them somehow, an encrypted blob
seems to handily beat pen and paper.

The only scheme I can think of that would be strong would be one that is tool-
assisted and given a set of password requirements (length, allowed characters,
etc.), a domain, a master key, and an incremental counter, derived keys and
formed passwords on the spot, but I'd still need to remember the criteria for
each site, and the counter positions, and keep those secured... so whats a few
more bytes?

------
rvanmil
I think it would be confusing, people only expect feedback on their password
during registration or when updating it. Also, requirements can change but
that won’t invalidate passwords which were chosen with the previous
requirements.

------
specialist
I want login & signup params in meta, for password vaults to use.

Stable URLs for log in/out, regex pattern (or some such) to spec password
reqs, list stock status response codes (eg success, bad email, nym already
taken).

------
pathikrit
Is there a database of leaked passwords somewhere? I would simply enforce that
your password is not in the leaks? Probably would capture the most common 100k
passwords anyway this way?

------
jlebrech
I worked a place where the password requirement for the system was 3 numbers,
2 letters, 3 numbers. and you had to change it every 3 weeks.

------
IshKebab
Because people who are smart enough to think of that aren't stupid enough to
have silly password requirements.

------
rad_gruchalski
Counter question: why aren't we educating users to use password managers?

~~~
teolandon
Who are "we"? What is a good way of educating every service user ever that
password reuse can ruin their lives and that human generated passwords are
weak? School? Parents?

New users are thrown into the internet and they find out they have to use an
email, and are usually turned towards Gmail, and then they have to use a
password. They probably already had a password on their laptops or phones,
which are harder to break into because they need physical access to crack, but
the new user doesn't know that people can and might remotely try to gain
access to their online email service. So they use the same password they had
on their laptops. Then they have to sign up for a ton of other services, so
they need passwords for them as well. The easiest thing to do is to reuse your
password, or slightly modify it.

If people don't know why it's bad to reuse passwords, they won't even think
about getting a password manager. Yes, it is very simple and user-friendly
nowadays, but it's seemingly a lot of work to change all your past passwords,
and to some people it might be even scarier to hide all your passwords to all
your accounts behind a single password.

I'm not very familiar with middle and high school curriculums nowadays, but I
feel like security is a topic that must be included. A crazy amount of people
use the internet and build their whole online personas or store a lot of their
personal and important information in a very wrong and insecure way, just
because there's nothing to stop them, and that's the easy way.

~~~
rad_gruchalski
"We" as the community who gives them a reason to create these accounts.
Whatever system that is.

> If people don't know why it's bad to reuse passwords, they won't even think
> about getting a password manager. Yes, it is very simple and user-friendly
> nowadays, but it's seemingly a lot of work to change all your past
> passwords, and to some people it might be even scarier to hide all your
> passwords to all your accounts behind a single password.

Maybe we should all make an effort then. Give them instructions on why and how
to use a password manager. Before they create an account. It just a high level
idea, not very well thought out.

------
Willson50
The requirements could have changed since the user last set their password.

------
jwilk
How does showing the requirements help the user recall the password?

~~~
jawns
I am somewhat ashamed to admit this, but I used to use a password that had a
common base but was adapted to each site according to a formula. However, it
did not contain any special characters. So you can bet that whenever a site
indicated that special characters were necessary, I would just tack on an
exclamation point to the end.

~~~
iandioch
I used to do the same. I'm sure that's what thousands of others do too :)

------
pbreit
Probably tradition & aesthetics.

Best just to avoid goofy requirements.

------
jlebrech
and don't forget preventing pasting

