Ask HN: Why not show password rules during failed password attempt?
Most of the times my password is same as/a variant of a generic password that I keep on most of the sites. Now usually what happens is that some website has some specific rule for setting passwords like it should be alphanumeric, have one Special character, or a capitalized character etc. Due to this, I end up resetting my password which wouldn't be needed if I was aware of the password rules. Wouldn't it be simply better if websites can simply tell you the password rules in case of failed password attempt. I don't see any security issue with that. Do other HNers face similar problem?
7 comments
[ 2.5 ms ] story [ 26.9 ms ] threadThis is one of those things that I think should culturally change. Maybe it can start with YC companies?
Any hacker can try doing that irrespective of the message that you decided to show. Besides this error message, you can say - "Invalid credentials" or "Your information do not match with our records"
2. Use a password manager like LastPass or 1Password.
Regardless of the incidental security risk of showing those rules, the site shouldn't facilitate your irresponsibility when it comes to password management.