Hacker News new | past | comments | ask | show | jobs | submit login

Password complexity rules are stupid. The only thing that matters is the total entropy. "Entropy too low" is the only error a user should receive when coming up with a password.

Those complexity rules are the result of an entire industry blindly following the best practices of an old unix DES crypt function. It's dumb and it should stop.


Going a step further, I don't even understand why we need any kinds of un-skippable errors because of this.

If I wanted a single number, say, '1' as my password, why shouldn't I be able to use it? It is my account and my responsibility, why does everyone feel the need to enforce something on others.

A simple warning would suffice.

A compromised account affects more than just the account owner. In many scenarios it's possible to escalate privileges and take over an entire service - your password might be all that stands between a malicious user and everyone's accounts.

I can see how this may be a problem for invite-only systems, but a place where anyone can create an account? Plz...

In a scenario like GitHub's organization (where one user has privileges over many shared resources), for example, its owner still carries the responsibility of safety of all its resources.

If it's possible to escalate privileges, then that's the place that needs fixing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact