nitrocode
commented
1 year ago I agree with this.
Perhaps a set of rules and why the rule exists? Shellcheck, hadolint, etc use prefixes and numerate their rules and show why the rule exists and how to remediate. Obviously we cannot provide remediation steps for the user but perhaps we can optionally show remediation steps for each rule for the website that breaks the rule?
Example https://github.com/koalaman/shellcheck/wiki/SC1000
Maybe we can use DP (dumb passwords) as a prefix?
Here are some generic enough rules that could be measurable. Each infraction could be 10 points and subtracted from 100.
- DP0001: maximum password of less than 32 chars
- bad because the longer the password, better the entropy and harder it is for bots to guess the password
- this could have levels for instance passwords with a max of less than 24, 16, 8 characters
- DP0002: does not allow all letters
- bad because excluding characters makes the password easier to guess
- DP0003: does not allow all numbers
- bad because excluding characters makes the password easier to guess
- DP0004: does not allow all special characters
- bad because excluding characters makes the password easier to guess
- DP0005: cannot paste password
- bad because password managers randomly generate a password and by not being able to paste, this will require users to painfully enter their password, use a browser extension to remove the block, or turn their password into something easier and memorable (such as a phrase) which will reduce password security
- DP0006: password is truncated
- very bad because the user is allowed to use a password upon registration that doesnt work on subsequent logins. This leaves the user confused and they may have to recover the account and regenerate a smaller simpler password which reduces password security
- DP0007: hidden requirements
- bad because the requirements are shown after attempting to register
- DP0008: password is not checked case sensitively
- bad because this reduces password complexity
- DP0009: no minimum set to passwords
- bad because users may create too short of a password
- DP0010: exact number of characters
- bad because password managers default to a specific number like 12 or 16 and now we have to configure it to work with whatever this websites requirement is
- more?
duffn
From https://news.ycombinator.com/item?id=34804150
We should have some sort of system to rank entries in order of ludicrousness or some other factor. 1-10 on a scale of "dumbness"? Of course, this is subjective, but even listing a site on here is subjective, so this should be okay.