top | item 3596372

(no title)

sunchild | 14 years ago

Are you taking the position that only auto-generated passwords can be secure? I'm trying to understand what conclusion to draw from your comment.

My point was that imposing length validations on passwords is not hard. Complexity validation, while more difficult, is also not exactly a novel problem.

I feel like I'm in bizarro-world with all these people telling me that sending a plaintext password via email is more secure than giving users the option to follow an authenticated link to create their own password because...users can't be trusted to choose good passwords?! Really?

discuss

DanBC|14 years ago

What are the risks for each situation?

Users are hopeless at creating secure passwords. They are especially hopeless at creating secure passwords if you suddenly present them with a password creation screen.

Adding complexity generation does not help. If anything, it makes things worse. People use stupid weak passwords, often re-using them across different websites. They'll do simple substitutions of digits for vowels, or they'll use one word with a couple of digits stuck on the end.

Complexity validation gives a false sense of security.