Comment by ianopolous

Comment by ianopolous 4 days ago

Humans shouldn't generate passwords. ~0 people are good at that. Websites should just generate a password for a user, letting them regenerate as many times as they like until they get one they like (without breaking password manager based generation). A bit like this: https://peergos-demo.net/?signup=true

baq 4 days ago

~0 people want to remember passwords. generating passwords for them without offering to securely store them in a password manager strikes me as misguided.

Reply View 3 replies

ianopolous 4 days ago

People should absolutely be using password managers where possible.
A website doesn't have control over whether you are using a password manager though. This is about stopping the human from generating a password themselves, which will be terrible.

Reply View | 2 replies
- baq 4 days ago
  
  I mean, at this point might as well drop the password requirement completely and send an email login link every time a user gets logged out and wants to log back in. It's how 'reset password' feature works for some people anyway.
  
  Reply View | 1 reply
  
  ianopolous 4 days ago
  
  Yep, if that's possible for your service that works. If the service doesn't want your email and/or doesn't have access to your data, e.g. an E2EE service where account reset is impossible, then that's not an option.
  The supposition for all this is that the service wants to use passwords for whatever reason. In that case, generate them for the user.
  
  Reply View | 0 replies