Codeberg/Community
54
325
Fork
You've already forked Community
12

your password requirements for new users are annoying and put you in a bad light #173

Closed
opened 2020年04月26日 21:52:53 +02:00 by joernhees · 13 comments

Your sign up currently seems to require pws to be no less than 6 chars long and have the following requirements:

Password does not pass complexity requirements:
At least one special character (punctuation, brackets, quotes, etc.)
At least one lowercase character
At least one uppercase character
At least one digit

So you're telling new users to trust your platform with their code, but during the sign up process you imply that you that aaaA1. is more secure than a standard pwgen 20 (e.g., Nue0gaev3nooGoh5ahph)?

https://xkcd.com/936/

Your [sign up](https://codeberg.org/user/sing_up) currently seems to require pws to be no less than 6 chars long and have the following requirements: Password does not pass complexity requirements: At least one special character (punctuation, brackets, quotes, etc.) At least one lowercase character At least one uppercase character At least one digit So you're telling new users to trust your platform with their code, but during the sign up process you imply that you that `aaaA1.` is more secure than a standard `pwgen 20` (e.g., `Nue0gaev3nooGoh5ahph`)? https://xkcd.com/936/
Member
Copy link

There is an ongoing discussion in https://github.com/go-gitea/gitea/issues/11177 suggesting to add a NIST compliant entropy checker which we would very much endorse.

Do you think you could possibly contribute to bring the implementation of this feature forward?

There is an ongoing discussion in https://github.com/go-gitea/gitea/issues/11177 suggesting to add a NIST compliant entropy checker which we would very much endorse. Do you think you could possibly contribute to bring the implementation of this feature forward?

Sorry, but how about enabling Unicode support in passwords?

I’m just an average user (I don’t code), but this would make easier for user to create much more complex passwords.

Sorry, but how about enabling Unicode support in passwords? I’m just an average user (I don’t code), but this would make easier for user to create much more complex passwords.

I think the password requirement is smart. Actually, all my passwords are between 16 and 24 chars long, and contain at least two distinctly different of each. I'm actually annoyed if I sign up somewhere where they trip over special chars, or can't handle more than eight characters. No, STEAM pisses me off with their weird practices. But let's not get off topic.

I think the password requirement is smart. Actually, all my passwords are between 16 and 24 chars long, and contain at least two distinctly different of each. I'm actually annoyed if I sign up somewhere where they trip over special chars, or can't handle more than eight characters. No, STEAM pisses me off with their weird practices. But let's not get off topic.

These requirements should definitely be dropped. They don't reflect how password strength works.

If you want to require passwords to be secure, use zxcvbn to measure password strength, and require passwords to score at least 2/4 or whatever.

These requirements should definitely be dropped. [They don't reflect how password strength works.](https://xkcd.com/936/) If you want to require passwords to be secure, use [zxcvbn](https://github.com/dropbox/zxcvbn) to measure password strength, and require passwords to score at least 2/4 or whatever.
Member
Copy link

This one looks like still waiting for a contributor, the issue is also frequently discussed in the gitea issue tracker? PR to gitea welcome!

This one looks like still waiting for a contributor, the issue is also frequently discussed in the gitea issue tracker? PR to gitea welcome!

These requirements should definitely be dropped.

Well, I'll agree that:

Password does not pass complexity requirements:

At least one special character (punctuation, brackets, quotes, etc.)
At least one lowercase character
At least one uppercase character
At least one digit

is a little simplistic. The principle is alright, but it would be a lot better if the above was part of a broader definition, like:

  • must be at least 8 characters long
  • should not contain any common words like the login name, email address, or the word "password"
  • ... come up with some rules yourself to expand this...

However, one must also realize that the above only comes up if an already attempted password did not meet at least these minimum requirements, meaning that at least one of the four categories is not represented at all!

> These requirements should definitely be dropped. Well, I'll agree that: > Password does not pass complexity requirements: > At least one special character (punctuation, brackets, quotes, etc.) > At least one lowercase character > At least one uppercase character > At least one digit is a little simplistic. The principle is alright, but it would be a lot better if the above was part of a broader definition, like: * must be at least 8 characters long * should not contain any common words like the login name, email address, or the word "password" * ... come up with some rules yourself to expand this... However, one must also realize that the above only comes up if an already attempted password did not meet *at least* these minimum requirements, meaning that at least one of the four categories is not represented at all!

Strong passwords are important, but probably equally important is a second factor for authentication.

We should advertise that possibility right in our UI when creating new accounts, if possible (I'm already putting it in the Getting Started guide, but I guess most people will figure out how to create an account themselves and thus not read that article).

Apart from that we should also point out the password policy clear in the registration UI (even better: validate it without a round-trip to the server), because it's frustrating to need to re-generate an otherwise perfectly valid password just because it's missing special characters and to have a second round-trip of the registration form because of that.

Strong passwords are important, but probably equally important is a second factor for authentication. We should advertise that possibility right in our UI when creating new accounts, if possible (I'm already putting it in the Getting Started guide, but I guess most people will figure out how to create an account themselves and thus not read that article). Apart from that we should also point out the password policy clear in the registration UI (even better: validate it without a round-trip to the server), because it's frustrating to need to re-generate an otherwise perfectly valid password just because it's missing special characters and to have a second round-trip of the registration form because of that.
Member
Copy link

Maybe even have some (not too invasive?) banner to remind+encourage enabling 2FA?

Maybe even have some (not too invasive?) banner to remind+encourage enabling 2FA?
Member
Copy link

some thing like "did you know ...?"

some thing like "did you know ...?"

Codeberg/build-deploy-gitea#39 disabled the password complexity requirements and increased the minimum password length from 6 to 8 characters. This issue can be closed now.

Codeberg/build-deploy-gitea#39 disabled the password complexity requirements and increased the minimum password length from 6 to 8 characters. This issue can be closed now.

@n Would you prefer moving the discussion about a 2FA reminder to a new issue or to rename this issue and leave it open for now? (I'd personally prefer the former)

@n Would you prefer moving the discussion about a 2FA reminder to a new issue or to rename this issue and leave it open for now? (I'd personally prefer the former)

I'd prefer opening a new issue, since the annoying password requirements has been resolved.

I'd prefer opening a new issue, since the annoying password requirements has been resolved.

Okay, then let's move discussion to #279 :)

Okay, then let's move discussion to #279 :)
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
7 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#173
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?