ToastWallet
commented
6 years ago Hi Bryan
Thanks for the pull request.
Entering passphrase on mobile is a pain. Shorter passphrase with a greater complexity is advantageous in this setting. But I agree it makes it more likely that users will forget their passphrase, and also more likely users will pick short passphrase they merely think are complex when they aren't.
Rather than remove the other rules and replace them with a minimum 10 char length, it might be better to come up with an algorithm to test complexity (or find an existing one that isn't too heavy weight). Then according to that algorithm we will let them set the requested passphrase or not. So a short passphrase with high complexity would pass, as would a long phrase with low complexity, but a short passphrase with low complexity would fail.
Interested to see what you come up with!
internalfx
NIST’s new password rules
No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
https://blog.codinghorror.com/password-rules-are-bullshit/