Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Everyone's making fun of this, and it is dumb. But really this is just an example about how passwords are a stupid form of authentication. Not just this site, all passworded sites. We really need something better.

I favor OpenID or something like it. Single strong form of authentication, delegate login authority from that to non-critical sites like Hacker News. OpenID has enough of a bad reputation now it's probably a non-starter. BrowserID has some promise: https://browserid.org/



I don't know that passwords are all bad. For an alternative approach to complex rules, see:

http://xkcd.com/936/

The last time I changed a password for a service I set it to a phrase that I can easily remember but which no human or current machine will easily guess. I'd say that the only good rule is "Make it at least 9 characters" (which is at least long enough to disallow "password").


Character minimums hurt your entropy too. Stripping the entire search space up to nine characters isn't really a good idea.

In my opinion it'd be better to just find a list of the top 10K passwords and disallow them.

One out of 50 people use one of the top 20 passwords. [0]

I'd bet that over half of passwords used are in the top ten thousand.

[0]: http://xato.net/passwords/how-i-collect-passwords


"Character minimums hurt your entropy too."

Not really. If X is the number of characters your password can be made up of, there are 8^X possible passwords that are 8 characters long, and 8^X-1 possible passwords that are less than 8 characters long. Even here, right on the border, you've only lost 1 bit of entropy (half banned, half allowed), and you win big the moment someone makes it even one character longer than the minimum who wouldn't have otherwise.


If X is the number of different characters your password can contain then the total number of possible passwords exactly 8 characters long is X^8.

The number of passwords that are less than 8 characters long is X + X^2 + ... + X^7 which is significantly less than X^8 for large X.

So your point is even more valid.


I wrote a small script to generate passwords after reading that comic [1]. Using a good wordlist one can easily produce memorable and secure passwords.

Unfortunately, many sites enforce rules that preclude this password style (e.g., must contain a number).

[1] https://github.com/redacted/XKCD-password-generator/


11 is also a sane minimum, to disallow 1234567890.


Or you could just disallow "1234567890".


That's a bad argument. Passwords are a decent trade-off for certain problems.

The problem is when the usability/security trade-off doesn't match the situation.


> Single strong form of authentication, delegate login authority from that to non-critical sites

How does that solve the problem of internet banking passwords? Banks are not "non-critical sites", so whatever form of authentication I use for my Reddit account is unlikely to be suitable for my bank. As a matter of fact, I don't trust LastPass with my banking passwords.


So if you share a computer with someone, how do you stop that person from logging into your account to read your email?


Strong passwords. Password manager. Separate Accounts. Keypass or 1Password (which I prefer on OSX) are quite good.

I use gmail + 2-step auth. You can configure it to be quite paranoid.


You always have the imap/pop backdoor on Gmail , which does not use a 2 factor auth.


Not always. You can switch those off and on separately.


Sorry, I meant to say with the BrowserID.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: