Hacker News new | past | comments | ask | show | jobs | submit login

> So what's your solution?

Allow pasted passwords if they meet a very high password-quality heuristic; deny them if they seem too guessable.




How is that a solution to the problem of user error (i.e. mistyping)? Are you making an implicit assumption about password manager use and mistyping, that somehow your heuristic will be able to differentiate? That seems like a lot of work for something that may be prone to mistakes, while also delivering an inconsistent user experience, for the sake of some (unstated) assumptions about security that may not be founded.


It actually makes a lot of sense.

People will almost never manually type out high security (>20 random characters) passwords themselves. So if someone enters a high entropy password, you can fairly confident that mistyping is not an issue.


I'm not quit convinced about that.

1) Aren't there people using generators like Diceware that don't do the password management part?

2) The industry's definition of "high security" is constantly changing. Password strength measurement makes assumptions about what is and isn't guessable, and a lot of that depends on what techniques the common brute-force crackers are employing. So finding the right heuristic is also problematic.


> 1) Aren't there people using generators like Diceware that don't do the password management part?

I'm not sure they're actually that common. Moreover, if someone is sophisticated enough to use a password generator I assume they have some sort of system for ensuring integrity.

Also, if you're worried about someone changing their password to something they don't know, simply force a relogin and have effective password reset mechanisms.

> 2) The industry's definition of "high security" is constantly changing.

Industry might be getting more serious about encouraging higher security passwords, but standards for high security passwords haven't really changed much. People are just becoming less tolerant of low-security ones.

In terms of estimating security, you can use something like https://github.com/dropbox/zxcvbn which does a pretty good job of evaluating entropy and resistance to brute force attacks. Ultimately, a password with sufficient entropy will be resistant to any brute force cracker.


The nice thing about password generators is that you can have a huge margin of strength for free. Keepass defaults to 119 bit passwords. Require 100 estimated bits and you'll blow manual passwords out of the water.


there is no solution for user error. give up on that dream right away.

isolate the users so they cannot destroy your system when they get hacked, because they will always get hacked.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: