Great article! I liked the Reasonable Policy part but didn’t quite got why special characters are not enforced.
For other readers extended reading (curious or otherwise): i wrote an explanation of salt and peppers (Web Authentication Universal Prinicpals) for software developers. I cover the coding angle of it with in depth illustrations and example.
If you enforce that character set, you run the risk of them writing it down, forgetting it, annoying them, or choosing a weak password. You can also cause users to write down their passwords if you enforce password changes.
I don't know how many times I've been annoyed dealing with that. It should stop at the length requirements, checking for known passwords, and passwords as identifiers.
Simply put, it can have a bad impact on UX, often gaining no benefit, or doing the opposite.
Beyond a minimum and maximum length, password rules are pretty terrible, despite what the math may say about a brute-force attack for those short complex passwords. History should tell you those short complex passwords are not good.
Great article! I liked the Reasonable Policy part but didn’t quite got why special characters are not enforced.
For other readers extended reading (curious or otherwise): i wrote an explanation of salt and peppers (Web Authentication Universal Prinicpals) for software developers. I cover the coding angle of it with in depth illustrations and example.
dev.to/dpkahuja/learn-and-build-we...
Thank you!
I don't know how many times I've been annoyed dealing with that. It should stop at the length requirements, checking for known passwords, and passwords as identifiers.
Simply put, it can have a bad impact on UX, often gaining no benefit, or doing the opposite.
Beyond a minimum and maximum length, password rules are pretty terrible, despite what the math may say about a brute-force attack for those short complex passwords. History should tell you those short complex passwords are not good.
I'd also like to point out that the NIST too recognizes that password complexity requirements are not a good thing: pages.nist.gov/800-63-FAQ/#q-b10
What do you think about comparing the password to a list of X most common passwords and not allowing it?
I think it's a good idea, as I suggested in the article.
Yes. And one more thing in UX i have seen, they tell you after your first password creation attempt what is expected from it. Quite a bummer