stupid and dangerous password policy

[davidak]

I tried to sign up with the password pyf962nn7gebp9x39zo8id.

I got the error "must include at least one lowercase letter, one uppercase letter, and one digit".

Then i successfully signed up with the password Password1.

Are you serious that this is more secure?

Recommendation: policy should only enforce a number of characters. not sure what is recommended right now. at least 12 or 16

[evilcel3ri]

Hi ! So, this issue is referenced here and although a longer password password is of course better, just having length is clearly not enough. Of course, we can extend the length of the password, I can add that in a fix in a pending PR on the password policy.

Also, we are all working on this project on our own time, no need to call it stupid :)

[davidak]

just having length is clearly not enough

have you a reference for that?

To my understanding a 128 char password will not be bruteforced in resonable time, even if it's just lowercase letters.

There are better methods to prevent hacked accounts like #563 and #564.

It annoys me very much when services don't let me use a secure password while their policy allows a much weaker one! I call that stupid. Not meant to be personal tho. Sure, not everyone thinks about secure passwords a lot and i should be more kind when suggesting improvements.