Stop Password Restrictions

4 points by bbissoon ↗ HN
I've been on a few sites - just recently Skype, and no matter what password I typed in, it says it's easy to guess. How can I use a service whose password I can't remember. It's such an idiotic practice by some programmer or entity flexing their new found validation knowledge and going overboard. BUT AT WHAT COST TO THE USER!

I could be wrong, but I'm so tired of companies dictating password complexity instead of locking their systems down.

I'm a programmer and I went through this stage where I just wanted all user entered data to be precise - BUT IT'S NOT USER FRIENDLY!

Anyone has an upside to this or am I truly missing something?

2 comments

[ 5.2 ms ] story [ 11.2 ms ] thread
All someone needs to do to crack a password these days is spin up some servers or a botnet. Thousands of accounts getting bruteforced and abused could harm and even destroy a website.

Use lowercase, uppercase, numbers, and symbol(s). It's the only way to prevent a password from being cracked in minutes.

It's the unfortunate consequence of having powerful computers at a low cost. Password restrictions WILL continue to get more strict. It has to be that way to protect the users, the biz, and the infrastructure.

The problem is, forcing restrictions on a password actually reduces the search space, making the password file as a whole easier to crack. It's far better to inform the user of the strength of the password and advise to use a stronger password than to enforce it. If I know the password must have a digit and an extra special character, then I can exclude all passwords that don't have these features from the search and significantly reduce the cracking time. If any password is possible, then I basically have to search the entire space. Sure, the single english word passwords will be the first to fall, but if you advise the user their password is weak, that is a risk the user has taken on knowingly.