[nycphp-talk] Relax your password rules
Federico Ulfo
rainelemental at gmail.com
Mon Jun 9 13:55:44 EDT 2014
I share the same feeling on too pretending password rules:
"Your password must contain a capital letter, a number, an emoji, 8
elements from the periodic table and a plot containing a protagonist with
some character development and a twist ending."
but I couldn't suggest to make password less restrictive and that's because
too often people use the same password just with a small variation.
A safer and easier solution is to offer Oauth with Google, Facebook or
Twitter. I personally prefer to use my social to log everywhere because
they're safe, (thanks 2 step auth!) and I don't have to use OnePassword, or
any mental trick to remember all my passwords.
So my suggestion is to implement a secure password policy and on top of
that implement Oauth.
On Mon, Jun 9, 2014 at 11:07 AM, Pierpaolo D'Aimmo <daimmo at gmail.com> wrote:
> I had issues with FB authentication when trying to login from a mobile.
> Last time it happened it was with Grooveshark. I created the account with
> a FB login from a desktop, then tried to login on mobile and it was
> impossible, since their mobile interface doesn't use FB login.
>
> Pierpaolo D'Aimmo
> +1 201 892 1270
> daimmo at gmail.com
>
>
> On Mon, Jun 9, 2014 at 11:02 AM, Chris Snyder <chsnyder at gmail.com> wrote:
>
>> More and more people just use "I forgot my password", and deal with it
>>>> that way. Either you've exchanged the password for a security question, or
>>>> just access to a user's email.
>>>>
>>>
>>>
>> For casual access, it's okay to just skip the password field altogether
>> and use a token sent to email or sms as an authenticator. If you're
>> building something that a user is only going to log into once a month or
>> less, it may be less annoying to them to do an email roundtrip then it is
>> to create yet another password.
>>
>> At the other end of the spectrum, I preach the gospel of the password
>> manager to anyone who will listen.
>>
>> On a side note, I get annoyed at services that want to use Facebook or
>> some other social network to log me in, because I don't necessarily want my
>> account on one site to be linked to my account on another. As a user in
>> that situation, I have to think about a whole raft of other issues: is this
>> *really* Facebook's form, does the site get access to my timeline and
>> friends, does Facebook have access to my account on this site, will my
>> Facebook password still be on the clipboard after I log in, etc.
>>
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show-participation
>>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20140609/e767735a/attachment.html>
More information about the talk
mailing list