Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.

Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…

  • Soulifix@kbin.melroy.org
    1·
    13 hours ago

    Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.

    Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don’t have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it’s not forgotten. I have to have browsers autofill for me because of this shit.

    In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.

    Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It’s fucking bullshit. StateFarm does this too.

    • spujb@lemmy.cafeEnglish
      6·
      13 hours ago

      Using a password manager is a lifesaver for this :) there are open source ones like KeePass and you can sync the encrypted file across devices using Dropbox or similar

    • AA5B@lemmy.world
      1·
      9 hours ago

      For me it’s the opposite - every password is generated, except for those websites that limit me to something unreasonably short like 14 chars. They need to accept longer passwords, so I can use a generated one with default complexity, not have to make up something easy to remember

    • thebestaquaman@lemmy.world
      1·
      8 hours ago

      I wholeheartedly disagree A long password like “this is the best password for email” is near-impossible to brute-force, while being extremely easy to remember. A short password with special characters / numbers / lowercase + capital letters, like “Emai1_Passw0rd!” is far easier to brute-force, and a lot harder to remember (which letters did I capitalize again? Which ones did I swap with numbers? What symbol did I throw in?)

      Optimal password requirements are … nothing. Because every requirement you put in reduces the parameter space an attacker needs to search. Second best is setting a minimum number of characters, because a bunch of people are stupid and will use single-letter passwords if you let them.