

Ask HN: Why not show password rules during failed password attempt? - mukgupta

Most of the times my password is same as&#x2F;a variant of a generic password that I keep on most of the sites. Now usually what happens is that some website has some specific rule for setting passwords like it should be alphanumeric, have one Special character, or a capitalized character etc. Due to this, I end up resetting my password which wouldn&#x27;t be needed if I was aware of the password rules. Wouldn&#x27;t it be simply better if websites can simply tell you the password rules in case of failed password attempt. I don&#x27;t see any security issue with that. Do other HNers face similar problem?
======
emerongi
There is no security issue with that. This "feature" would definitely be
useful (and in a way needed), even though I use a password manager anyways.

------
mak4athp
1\. Don't use the same password everywhere.

2\. Use a password manager like LastPass or 1Password.

Regardless of the incidental security risk of showing those rules, the site
shouldn't facilitate your irresponsibility when it comes to password
management.

------
lucasmullens
On a similar note, why do we have to use the error message "Wrong username or
password"? Can't any hacker just try to make an account with a username to see
if it exists?

~~~
storafrid
The username might exist, but be the wrong one. In such a scenario, the
password is correct for the intended account but not for this particular
account. Meaning that the message "Wrong password" will confuse the user.

------
kenjackson
I agree. There shouldn't be any security issue with that (unless your password
rule is, "no more than 4 digits", even then).

This is one of those things that I think should culturally change. Maybe it
can start with YC companies?

