Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Slight tangent: My wife's place of work has recently instituted a minimum 16-character password rule with the standard complexity requirements. They also encourage the use of password management software, as well as enforcing password changes every 6 months.

Where I see a flaw in this is the initial login.

If you're not already on your computer to access the password manager, how do you retrieve the essentially non-memorisable password to unlock your computer in order to get to the password manager to retrieve the essentially non-memorisable password?

The password to unlock the computer, therefore, must be able to be remembered. This pretty much excludes 16-character auto-generated passwords for anyone but a savant.

Am I missing something obvious here? (MFA using an authenticator app on the phone? Is that something that Windows / Mac/ Linux supports?)



I've not met anyone who doesn't just increment a digit at the end every 6 months.

And any password length requirement beyond 8 always ends up being just a logical extension of 8 character password (like putting 1234 at the end), if 16 characters is required one would just type their standard password in twice.

If a any of the old passwords (potentially from unrelated applications) get leaked, it's almost trivial to guess current password.


Yeah, that's kinda my point, increasing the complexity requirements counter-intuitively reduces, or at least doesn't change, the actual level of security provided.

It's a wetware limitation. Not that we don't have methods that could improve it, it's just that they're not yet implemented at this specific point of contact. Interestingly.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: