top | item 42629041

(no title)

digging | 1 year ago

That is a very good point! You'd have to be careful to craft the messaging so that it doesn't imply you can help troubleshoot the password manager.

But something simple could work. Already you usually have a note under a password field, "Must contain at least 8 characters and at least one special character" or something to that effect. It could also have some note about "We suggest a randomly generated password from your password manager."

I'm not building this out so I don't need every hole poked in the idea, just seems like it could work.

discuss

yawaramin|1 year ago

If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.

grvbck|1 year ago

One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.

They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.

Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.