I recall a talk at passwordcon by Per Thorsheim where he pointed out that not on... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		e12e on Dec 23, 2022 \| parent \| context \| favorite \| on: Password Requirements: Myths and Madness I recall a talk at passwordcon by Per Thorsheim where he pointed out that not only does the password: "Password2022" meet most "strict" criteria (three different character classes, longer than eight characters) - and -it's amenable to yearly demands for changing (increase the year) - but in large organizations you're actually very likely to find a user or two with this password (as seen in audits that ran simple brute force against the user directory). PS: in the rare case it's not "secure" enough, add an exclamation point: "Password2022!"

alanfranz on Dec 23, 2022 [–]

One good complexity check would be “contains a single dictionary word as the main content.” I don’t know if library does it, though.

throwoutway on Dec 23, 2022 | [–]

Why is this a good complexity check?

alanfranz on Dec 23, 2022 | | [–]

Because dictionary attacks are easy on single words + small mutations, like some capitalizations and adding 1-2 digits.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact