(no title)
sunchild | 14 years ago
B. Minimum password length/complexity. It's not hard to do.
I can't believe you're actually arguing that creating a new password is less secure than using an auto-generated password that was sent via email. I hope you are just confused...
tomjen3|14 years ago
All bad passwords. All will be chosen by your users at some point. The last satisfies any complexity requirements I have ever run against in the wild.
There is nothing insecure about sending a plain-text password that compares to a badly chosen password -- email isn't that easy to intercept and properly nobody is hacking your users physical (or wireless) network. At least not compared to the number of people who will be attempting to crack their online password.
sunchild|14 years ago
If you actually believe this, then we will never be in agreement.
DanBC|14 years ago
> B. Minimum password length/complexity. It's not hard to do.
It is hard to do. That's why so many people reuse passwords, or have hopelessly weak passwords. (Some word with a few vowels swapped for digits, or some word with two digits tacked on the end.)
I agree that sending passwords over email is sub-optimal, but the solution is not to surprise users with a password creation screen.
sunchild|14 years ago
My point was that imposing length validations on passwords is not hard. Complexity validation, while more difficult, is also not exactly a novel problem.
I feel like I'm in bizarro-world with all these people telling me that sending a plaintext password via email is more secure than giving users the option to follow an authenticated link to create their own password because...users can't be trusted to choose good passwords?! Really?