Don't force the user to use a "secure" passphrase #1009
Comments
t3chguy
changed the title
|
password is the thing you log in with |
|
matrix-org/matrix-spec-proposals#2000 deals with removing the mismatched password security |
|
thanks, then i mean passphrase. |
|
Users should have no right of endangering all their recipients by choosing a weak passphrase |
i guess you are a troll. otherwise you would understood the xkcd i posted which explains you, why the algorithm which is in use is broken. if you decide to drive a small vehicle, it is up to you if you get crashed by a 3t SUV which breakes every bone in an accident. or do you want to forbid the people to use small cars? |
|
Your insult doesn't surprise me since your discussing capabilities are limited to such idiotic statements as the car comparison, which is not apt in any possible way to the discussion. And I will be so kind not to comment on the embarrassing link you posted (for those who want to save a click, the author argues password managers are bad and logging in via Facebook APIs is good). I will instead let you answer yourself.
That's why your suggestion to lower security standards is silly. |
|
i never said that the security should be lowered. i said: dont force the user to any password rule, except maybe the length. the user should be able to decide himself if he wants to use a low quality password or a "high end" password. it is the responsibility of the user, not yours.
no idea which article you read, but for sure not the one i mentioned. the author argues that he would probably go with a password manager (like i do). i use keepassx and the password which was chosen (12 chars, upper/lower/digits/special chars) was NOT enough. thats why i was complaining.
when i change my root password to "abc" i get a complaint/hint, when i enter "abc" again, it is set to abc because thats what i want. period. no matter how insecure that is. if you need a nanny for everything, then it is your thing. but please stop infantilizing people. ps.: english it not my native language, i hope you understand what i mean. |
|
I will cut it short and in simple English so hopefully you will understand fully. You are asking lower security standards for everyone, without even providing a valid reason for it. Since you said you use a password manager you can create a strong password effortlessly. So there are two possibilities here:
In both cases you provide the perfect answer once again
|
No. one more time. I would like to have more flexibility/freedom. If a user wants a 4k chars passphrase with all kind of cryptic chars, thats fine for him - he can have a, in your opinion, super special super duper strong passphrase. he has maximum security, no lowering in security standards for others! when i type in "idontwanttod", than thats enough, but 12 chars with mixed chars is not. wth?
this complete topic is not about the security aspect, it is about freedom of choice. when i want a passphrase like "password", than this should be my decision. i am fine with a warning, but aborting the process resp. not starting it is simply wrong. this reminds me to: |
|
I guess the bit being alluded to here is by you choosing a weaker password you are the weakest link in the security chain and thus weaking the security for all your peers. |
this is from the link i posted above. |
|
There's nothing to add to what @t3chguy said. If you still don't understand maybe you don't want to. Happy to see Matrix team taking sane decisions. |
|
@35609902357 you posted in this thread https://github.com/vector-im/riot-web/issues/8751 that it should be better documented, "effort should be addressed toward ease of use, easy and pleasant first time wizard with clear options and easy to use default values, with the possibility for power users to choose more advanced options, and pleasant UI". now, when i say "this should be better documented" it is insane? lol, this is ridiculous.
the problem is: if i dont understand, there are probably many others that dont understand too. and maybe you should stop lying ("the author argues password managers are bad and logging in via Facebook APIs is good" - he said none of that). thats a bad habit. |
jryans
changed the title
jryans
added
X-Needs-Product
|
IMO this needs to be a toggle in a config somewhere. For just testing and getting non-technical people online, forcing them to use a password manager is a hurdle to adoption. Most matrix server implementations have lock out periods for failed attempts which makes brute forcing weak passwords impractical. Secure by default with a toggle in the config would be my vote if I got one. |
|
The only requirement I see is that the passphrase has sufficient length, which is precisely what that xkcd is about. So either there has been a change to the policy since the issue was created, or the creator didn't get it. Not vetoing a config option to define the minimum length, but I'd create a new issue for that because this is one, quite frankly, stupid. |
|
This issue seems mostly to be a flame war. The ability to choose your own recovery phrase is being removed as part of element-hq/element-web#26468, so we may as well close this. |
|
@richvdh not sure about that. My complaint was that something like "123!blahT" is marked as insecure whereas another one like "$%!@" is not. Cant remember the exact passwords, but it made absolutely no sense to have a "better" password (better -> more entropy) being blocked whereas a password with less entropy is perfectly fine. |
Is your suggestion related to a problem? Please describe.
When i click on "set up" for encrypted communication in riot web, it asks me a password.
When i enter my password (12 chars, upper/lower case, special chars) it says "keep going".
Describe the solution you'd like
Inform the user that the password MIGHT be insecure. But let him process anyway.
Describe alternatives you've considered
Just dont "verify" a password. see https://xkcd.com/936/
Additional context
The text was updated successfully, but these errors were encountered: