alt Hacker NewsI have two more to add to the list:
> Secret questions
No, my mother's maiden name is not a secret. And some questions like "who was your best friend in elementary school?" might have different answers depending on when you ask me. Plus, unless my best friend's name was Jose Pawel Mustafa Mungabi de la Svenson-Kurosawaskiwitz (we used to call him Joe) it's pretty easy to guess with a dictionary attack. The only way to answer these questions securely is to make up an answer that's impossible to guess, which results in a second password.
> You password must contain these particular characters
I understand that this rule is to prevent people from using passwords like "kittycat", but "k!ttyc4T" is still less secure than "horse battery staple correct".
Replies
I remember that a not-so-recent investigation recommended five words. (Also you got the order wrong, "correct" was at the front, but you'd probably get it right second try, so the concept is still good.)
> Jose Pawel Mustafa Mungabi de la Svenson-Kurosawaskiwitz
How in the #%*^ did you figure out my secret question?
I absolutely hate security theatre. And these kinds of things are just that. In fact, I’m sure that difficult to remember passwords make us less secure as we forget or write them down.
> "kittycat", but "k!ttyc4T" is still less secure than "horse battery staple correct".
Well... something like that. Please don't use exactly "horse battery staple correct".
There seems to be an easy solution: use a password manager and save the answer to the question as an additional password.
(This is actually a FR to any password manager's product team: it's time to treat things like 2FA recovery code and secret question answers as first class citizen in your product).