DEV Community

Discussion on: [PoC] Partially random passwords: or how to protect users passwords from keyloggers with partially random passwords

polentino911 profile image
Diego Casella

So why not using 2FA? You said that sometimes 2FA is not an option but, if that's you want to achieve, I would recommend to make the effort to use 2FA, instead of reinventing your own security mechanism (which usually is difficult to get it right).

Furthermore, never forget this: 98% of the time your user will be either lazy or stupid; the remaining 1%, both[0].
Do not put them in charge of their own security, ever.

Beucase I can totally see the following scenario, where your user will say

oh damn, I have a 6 characters long password, and now I have to type 6 (or any custom number) more random chars :(
you know what? I'll shorten the password to the minimum length required, then the website will take care of the rest. Problem solved!

which effectively weakens the effectiveness of the user's password, not to mention is not compatible with password managers.

[0] the other 1% use a password manager ;)