• diorama
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 years ago

    No if you forbid it by design. That was actually what I was asking for.

    • Ephera
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      Ah, I thought you meant “complex” like the complexity rating that password managers or some sign-up forms give you. Because with that, “1234567” is considered more complex than “123456”.

      But I guess, you would rather for example enforce that no substrings from the previous password are allowed to show up in the new password.

      I think, that would be fine, UX-wise, if you for example require no more than three consecutive symbols to be the same. That should only trigger in rare cases and mostly in cases where it is sensible.

      Bonus points, if you recommend the use of a password manager when you detect someone doing that. Because in my experience, it’s almost never the case that people don’t know how a good password would look, it’s just that they’re human.

      • diorama
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        Yes you are right, I mixed up stength with complexity. :)
        Since the user cannot assess password complexity on sight, it may be useful to help the user understanding this complexity. Maybe this?
        I have mixed feelings towards password managers I cannot explain. I concede it may be just my ignorance. :)

        • Ephera
          link
          fedilink
          arrow-up
          2
          ·
          4 years ago

          I used to have mixed feelings about password managers, thinking I’m exposing all my passwords behind just a single password.

          But without a password manager, it’s pretty much impossible to use a different password for each service. And that’s really the bigger risk, as services leak password hashes so often, if that hash gets bruteforced once, you’re fucked for every service where you reused that password.

          I mean, services can add Salt and Pepper to the password hashes to make bruteforcing the hash harder and the result less useful, but you unfortunately can’t rely on that.