DEV Community

Discussion on: Authentication vulnerabilities

Collapse
ashleyjsheridan profile image
Ashley Sheridan

It might be worth mentioning that most password strength libraries tend to follow the same rules that actually produce less secure passwords because of human nature. Typically these libraries request a mix of mixed case letters, some numbers, and the "special characters" (which is a misnomer, as often it's limited to basic punctuation). With these kinds of limits, we're enforcing situations where a user actually has more difficulty creating a memorable password, and then needs to rely on other systems to help. At best this would be a password manager, but at worst this is a passwords.txt file on the desktop.

Randall Munroe, (NASA scientist, mathematician, artist) has a great comic to help users select good passwords, as he recognises the problem with current password strength algorithms, and what they're effectively training users to do.

People are great at remembering things that evoke an image or emotion in their mind, but terrible at a string of nonsensical characters. So if forced by poor rules, they choose passwords that fit the rule, but create poor passwords, like "Password123!" (I'd bet money on this being somewhere in a leaked password list online)

Collapse
ms_74 profile image
Mariam Reba Alexander Author • Edited on

Agree, how to create a memorable password is upto your imagination, like the first letter of every word of a song or a sentence for example. It is also important to use an api like I mentioned above to check if the user created is in the list of breached data or a commonly used one.

Collapse
ashleyjsheridan profile image
Ashley Sheridan

Yeah, I use the old horse-battery-staple technique for my passwords. It does mean they're very long, but much harder to crack than a "Pa$$w0rd" which is what a lot of APIs determine is a "strong" password.