Hacker News new | past | comments | ask | show | jobs | submit login

The worst for me is when there is a strong complexity requirement, but some other stupid limitation, like only specific special characters can be used. I usually result to something like "ThisIsBullshit!1" or something similar (though I started using lastpass, also 2fa where available)

I did come across a site that had a cuss word filter, then wouldn't let me change my password... lol. No mention of why it was an invalid password.

If you must have certain complexity requirements, spell them out. Personally, if it's over 8-10 characters (with leading and trailing whitespace trimmed off), I'll take anything... convert to UTF8 bytes before 1-way hashing...

As for using SCrypt, if it takes a modern CPU 1/2 second on a process to hash a password, then that's ripe for a DDOS against your authentication server, which is where failed attempt counts, and locking for X minutes comes in.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact