undefined | Better HN

0 pointsDylan168076y ago0 comments

> So attackers cannot password spray.

My password's not crackable, so it's annoying to be lumped in to that. I'd happily use a service-generated password to avoid login hassles.

0 comments

therein6y ago

I imagine what you are proposing then is to record the entropy on the password when you first register and for accounts with sufficient password entropy to not ask for a captcha after few failed attempts.

With that, the site gives away whether the account has a low entropy password or not.

yc123406y ago

> I imagine what you are proposing then is to record the entropy on the password

Or just generate secure high-entropy passwords and force users to use them.

Making users look up SMS codes before each login is acceptable. Making them solve obnoxious, long, privacy-hostile riddles is acceptable. But forcing them to use pre-generated secure passwords?! That can't possibly work. They will revolt!

Dylan16807OP6y ago

> With that, the site gives away whether the account has a low entropy password or not.

Sure, why not? Way more than half of passwords are low-entropy, so that doesn't meaningfully help them focus attacks.

And they still have to keep solving captchas to make those attempts.

j / k navigate · click thread line to collapse