Don't exaggerate with Password Requirements

I have seen lots of suggestions which intend to rise password requirements to a higher level recently and I feel like whilst this makes sense to some point, we must avoid going too far.

This include:

• Don't increase the minimum password length to more than 8 characters.
  
• Don't enforce the usage of special characters.
  
• Don't enforce to use capital and non capital letters.
  

Why?
Whilst these increased requirements will support security of accounts from brute force hackers, they are also causing new flaws:

• They get increasingly hard to remember.
  
• They get a pain to type in and the passwords will feel really annoying.
  
• You have a high chance of making mistakes.
  

This will commonly lead to passwords being written down, which just in fact lowers security again ad that is often in an unsecure file or a text sheet which other people can find and then just learn the password from. Therefore, too high password criteria can in fact compromise security.

Also, if you had a realistic way of telling how long it would take a hacker to bruteforce your password, if it takes one week and you are just a normal account, it is already not worth it. Who would waste one week of your time on this? And in personal need, you can still pick a stronger password.

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

CodeComet6161 wrote:

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

This is a suggestion that presents an entirely different approach similar to “Don't add ai”. This is best to be discussed here in my opinion. Also, sometimes suggestions may conflict and there is multiple topics, so one central place to discuss this is better.

BitcoinFarmer wrote:

CodeComet6161 wrote:

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

This is a suggestion that presents an entirely different approach similar to “Don't add ai”. This is best to be discussed here in my opinion. Also, sometimes suggestions may conflict and there is multiple topics, so one central place to discuss this is better.

That topic is not conflicting with another suggestion.
This one is.
Therefore, it would be better to post it on the actual topic.

CodeComet6161 wrote:

BitcoinFarmer wrote:

CodeComet6161 wrote:

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

This is a suggestion that presents an entirely different approach similar to “Don't add ai”. This is best to be discussed here in my opinion. Also, sometimes suggestions may conflict and there is multiple topics, so one central place to discuss this is better.

That topic is not conflicting with another suggestion.
This one is.
Therefore, it would be better to post it on the actual topic.

Yes, that topic conflicts with multiple ones, actually. For example the suggestion to expand with ai, suggestions to generate scripts with ai et cetera et cetera. Same for mine as there are different approaches to expanding password security and I want to suggest a healthy limit here.


Also apologies on writing so slowly, my account is not scratcher but new to scratch and so I have 120 seconds of fun.

BitcoinFarmer wrote:

CodeComet6161 wrote:

BitcoinFarmer wrote:

CodeComet6161 wrote:

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

This is a suggestion that presents an entirely different approach similar to “Don't add ai”. This is best to be discussed here in my opinion. Also, sometimes suggestions may conflict and there is multiple topics, so one central place to discuss this is better.

That topic is not conflicting with another suggestion.
This one is.
Therefore, it would be better to post it on the actual topic.

Yes, that topic conflicts with multiple ones, actually. For example the suggestion to expand with ai, suggestions to generate scripts with ai et cetera et cetera. Same for mine as there are different approaches to expanding password security and I want to suggest a healthy limit here.


Also apologies on writing so slowly, my account is not scratcher but new to scratch and so I have 120 seconds of fun.

I meant purposefully trying to argue with another topic.

CodeComet6161 wrote:

BitcoinFarmer wrote:

CodeComet6161 wrote:

BitcoinFarmer wrote:

CodeComet6161 wrote:

Please instead post these on the actual topic, don't just make a new topic because of a suggestion you don't agree with.

This is a suggestion that presents an entirely different approach similar to “Don't add ai”. This is best to be discussed here in my opinion. Also, sometimes suggestions may conflict and there is multiple topics, so one central place to discuss this is better.

That topic is not conflicting with another suggestion.
This one is.
Therefore, it would be better to post it on the actual topic.

Yes, that topic conflicts with multiple ones, actually. For example the suggestion to expand with ai, suggestions to generate scripts with ai et cetera et cetera. Same for mine as there are different approaches to expanding password security and I want to suggest a healthy limit here.


Also apologies on writing so slowly, my account is not scratcher but new to scratch and so I have 120 seconds of fun.

I meant purposefully trying to argue with another topic.

I feel like this is still the right way and purposeful and maybe we will learn things in the discussion here that can also help argue on the other topics and be productive there, but in my opinion this is the right approach.

Can't you just go on one of those topics and say why you don't support, it isn't that hard.

This is a societal critique on a very high level O_o

I don't support this.
Accounts keep getting hacked and this will only make it worse.
Githubbb

cookedasparagus8 wrote:

I don't support this.
Accounts keep getting hacked and this will only make it worse.
Githubbb

As and those enforcements are counterproductive.

BitcoinFarmer wrote:

As and those enforcements are counterproductive.

How are they counterproductive? It literally encourages you to secure your account. You're argument is invalid.
Also, your username.

BitcoinFarmer wrote:

Don't exaggerate with Password Requirements

I have seen lots of suggestions which intend to rise password requirements to a higher level recently and I feel like whilst this makes sense to some point, we must avoid going too far.

This include:

• Don't increase the minimum password length to more than 8 characters.
  
• Don't enforce the usage of special characters.
  
• Don't enforce to use capital and non capital letters.
  

Why?
Whilst these increased requirements will support security of accounts from brute force hackers, they are also causing new flaws:

• They get increasingly hard to remember.
  
• They get a pain to type in and the passwords will feel really annoying.
  
• You have a high chance of making mistakes.
  

This will commonly lead to passwords being written down, which just in fact lowers security again ad that is often in an unsecure file or a text sheet which other people can find and then just learn the password from. Therefore, too high password criteria can in fact compromise security.

Also, if you had a realistic way of telling how long it would take a hacker to bruteforce your password, if it takes one week and you are just a normal account, it is already not worth it. Who would waste one week of your time on this? And in personal need, you can still pick a stronger password.

This is rejected. We hear you that long passwords can be a hassle, but simple passwords are easier to guess and crack. We want to make sure your account stays totally safe, so keeping these security rules helps protect all your hard work and progress!