Hacker News new | past | comments | ask | show | jobs | submit login

I see your point, but given the number of 'test', 'password' and '12345' passwords we see whenever there's a leak, that could be an issue.

Maybe just a minimum length? I too get annoyed when there are specific complexity requirements, like 'must include an uppercase letter' even though I've used a 20-character long password including numbers and punctuation.

The worst for me is when there is a strong complexity requirement, but some other stupid limitation, like only specific special characters can be used. I usually result to something like "ThisIsBullshit!1" or something similar (though I started using lastpass, also 2fa where available)

I did come across a site that had a cuss word filter, then wouldn't let me change my password... lol. No mention of why it was an invalid password.

If you must have certain complexity requirements, spell them out. Personally, if it's over 8-10 characters (with leading and trailing whitespace trimmed off), I'll take anything... convert to UTF8 bytes before 1-way hashing...

As for using SCrypt, if it takes a modern CPU 1/2 second on a process to hash a password, then that's ripe for a DDOS against your authentication server, which is where failed attempt counts, and locking for X minutes comes in.

If the problem is that people are using "password" as a password, why not just ban that example specifically? So you can't use "password", but you can use "djwipvbs". Assuming you're using bcrypt with an appropriate work factor, wouldn't "djwipvbs" be an acceptable password?

More generally, you could ban the top X passwords from those "most frequently use password" lists.

Consider the sources of those leaks. They're usually from places like adobe.com, where my own password is 1234 because I just had to make an account to download some trial software or whatever.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact