Hacker Newsnew | comments | show | ask | jobs | submit login

Sorry, nothing personal.

But this 'new' approach feels like last decade online banking - and it wasn't a good idea at that point.

In addition: Limiting user input and forcing password resets is, in my world, directly acting against your idea of 'improving user experience'.

If I am allowed to use a password of my choosing, I'll probably come up with something that is memorable and reasonably secure (depending on the context, I admit). If you force me to follow random, voodoo rules (just digits, at least one digit and one upper-case letter, more than x but LESS THAN y chars) I'm going to sigh, come up with something like 'YeahRight123' and I'm going to add a mental note to never trust this service fully. If I'm not leaving right away, that is. Resetting a password regularly (oh.. I hate everything noticeable SOX forces upon us)? Cool, you just motivate me to make my passwort 'cool123' - 'cool234' etc. (with variations for 'clever' password checks. If I cannot keep a prefix, I'll juggle different parts and keep the same, crappy, useless, insecure password, because .. I cannot be bothered to follow arbitrary idiot rules)

Your idea follows the worst practices in terms of restricting the keyspace and auto-resetting the password at arbitrary times, starting out weak already (4 digits..).

I wouldn't sign up with some 'security' in place that follows your suggestion.




It's great to get different perspectives on the concept. I agree that enforcing rules and resets does impact user experience.

What if the user was to authenticate once via SMS (we send them a code and they enter it within a reasonable time period), and once they do, they're authenticated for an infinite amount of time. This way they don't need to remember a passcode, and just need to have their phone on them when accessing the website from a new computer - a similar experience to two factor auth.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: