- Joined
- May 27, 2019
- Messages
- 1
Since you guys have 2FA (nice!) I figure this little nitpick about password security might not be too annoying.
I just signed up and accidentally used the same string for both my username and password (due to password manager and clipboard finagling, lol). The username string should not be a permissable password.
I suggest disallowing, or at least showing a warning, for trivially bad passwords that meet any of these criteria:
[ul]
[li]Password is the same as username or email address.[/li]
[li]Fewer than n characters, for n of your choice.[/li]
[li]Matches a known-bad password from e.g. rockyou, top 1000 worst passwords, top 1,000,000, or whatever, one of these lists.[/li]
[li]Matches a regular-ass dictionary word.[/li]
[/ul]
You may also consider existing implementations like dropbox/zxcvbn or cupslab/password-meter.
I know the threat model for most users on this site isn't gonna be something like crazy that they need to protect at all costs, but it can't hurt to force a threshold for password quality. I signed up in the first place because guest users don't have access to some of the site's functionality because of DDOS attempts, so I was surprised there were no password quality standards. A malicious party might be able to brute-force or dictionary attack an arbitrary number of accounts with weak passwords and effectively circumvent the account signup restrictions. I have no clue what other measures you have in place for the DDOS issue, but that's just one of many motivations for adding password requirements.
@\devs great job with the site though, it's slick as hell.
cheers
I just signed up and accidentally used the same string for both my username and password (due to password manager and clipboard finagling, lol). The username string should not be a permissable password.
I suggest disallowing, or at least showing a warning, for trivially bad passwords that meet any of these criteria:
[ul]
[li]Password is the same as username or email address.[/li]
[li]Fewer than n characters, for n of your choice.[/li]
[li]Matches a known-bad password from e.g. rockyou, top 1000 worst passwords, top 1,000,000, or whatever, one of these lists.[/li]
[li]Matches a regular-ass dictionary word.[/li]
[/ul]
You may also consider existing implementations like dropbox/zxcvbn or cupslab/password-meter.
I know the threat model for most users on this site isn't gonna be something like crazy that they need to protect at all costs, but it can't hurt to force a threshold for password quality. I signed up in the first place because guest users don't have access to some of the site's functionality because of DDOS attempts, so I was surprised there were no password quality standards. A malicious party might be able to brute-force or dictionary attack an arbitrary number of accounts with weak passwords and effectively circumvent the account signup restrictions. I have no clue what other measures you have in place for the DDOS issue, but that's just one of many motivations for adding password requirements.
@\devs great job with the site though, it's slick as hell.
cheers
