Ran into this insanity on chase.com earlier this week...
I wonder how much of these rules are bandaids. Like they found that so many people used chase123 as a password that they needed a new rule for it.
I also wonder if they know how much easier this makes brute force attacks.
Leave the password decision up to your users.
This . If i want my password to be "password" so be it; it's my password -- just inform the user that that's probably not a good idea :)
I wish we could all do this. I feel like living in the "suing mcdonalds for hot coffee" age people would blame a company for leaking their info even if they have a terrible password.
You are absolutely right that this sort of decision would leave the company liable. However, your example of the McDonalds coffee is a bad one. Although people use this example a lot as one of frivolous lawsuits, the actual case is far from it. This short NYTimes documentary gives a good explanation of why: https://youtu.be/pCkL9UlmCOE
Actually the way McDonalds solved for that is with a label that says something like "WARNING: Hot Coffee." That's exactly what I'm proposing companies do with passwords.
Awesome. Good stuff, Joel. I can definitely see key based passwords being mostly extinct within the next decade, replaced by biometric recognition. Authentication through facial recognition via built-in camera would be awesome.
...until I'm in a car accident where my face gets busted up and now I can't log into my Facebook to tell everyone about my car accident.
Recovering from situations where something isn't working should be a part of every login system.
Forgot your password?Busted up your face?
Or someone can just use your picture for the facial recognition...
Great read, thanks Joel.
Great article and I agree, educating users on passwords in the registration process versus forcing them is probably better.
I'm surprised you didn't mention password managers.
As a user, I can't remember the last time I actually created my own password.
I let the password manager generate it.
Obviously, password managers pose their own security risks, but those risks versus the ease and time saved they present are worth it.
Most people I know use a password manager, between all the devices I have, I couldn't imagine not using one.
Browser's nag features to "save passwords" - are always nagging.
Maybe the rise of password management mirrors the increase in opinionated, technical passwords?
He mentioned password managers in passing, but I agree with Joel that I don't want to "become dependent" on a third party tool. Thats not a solution, its a stop gap at best in my opinion.
Spend 5 min to read this article while the answer is obviously in asymmetrical cryptography. BitID by example which allow you to login with your Bitcoin address: https://github.com/bitid/bitid Also can be used as a better double auth with smartcard: https://www.ledgerwallet.com/products/3-ledger-hw-1