

Ask HN: Should my new application hand out complex passwords, forbid user PW's? - hoodoof

It seems from password analysis of recent hacks that many many users have extremely poor passwords.<p>Should my new application disallow user created passwords, instead generating complex passwords for users?
======
patrickyeon
As well as killing conversion, this will pretty near force your users to write
the password down. That's another attack vector (that you can't do anything at
all about).

The middle ground is a policy that enforces harder to bruteforce passwords
(eg. at least one of each: upper case, lower case, numeral. Minimum length and
no combinations of dictionary word + easily guessed number). Of course, the
more complicated you make it, the more likely the user will write it down,
forget it, not bother with your service, and/or curse your name.

------
hugorodgerbrown
Depends if you want anyone to use it; complex pwds are one of the biggest
barriers to user registration. If your users are comfortable online they
should be aware of the risks, and allowed to set simple pwds (a pwd strength
indicator is useful). If not, and you're concerned about security, look into
things like visual pwds (picking a picture from a much larger 'alphabet' of
images), and / or two-factor authentication.

What kind of app is it (game, banking, ...)?

~~~
whichdan
Anyone have any insight on where to get that many generic images?

~~~
entrepreneurial
Check public domain images: <http://www.usa.gov/Topics/Graphics.shtml>

~~~
whichdan
Very cool, thanks.

------
emp_
You will decrease your conversion considerably. My personal take on this is:
tell the users they are creating terrible passwords, educate them, but do not
forbid.

~~~
mbrzuzy
I agree with this idea.

I also see it used a lot lately. Just let them know their password strength as
they are typing it.

