Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If your service tells me that myname+servicexyz@gmail.com is an invalid address, you have to live without me. I can't count how many mails I sent to websites incorrectly validating email fields. However, password validation is mostly even worse. Just stop over-validating already!


Hushmail has a fantastic pseudonym service (among other fantastic services) for this use case.

  real email: name@hushmail.com
  servicexyz: name.servicexyz@nym.hushmail.com
  serviceabc: whatever-isnt-already-taken@nym.hushmail.com
https://www.hushmail.com/ (no affiliation)


No, you forcing me to include a number does not make my password more secure.

Weak password: correcthorsebatterystaplefoobarbaz

Strong password: password1

The worst is when they do that and enforce a maximum password of 8 or 12 characters (I'm looking at you, every bank in the US ever).


Is the top password not stronger than the bottom one in your example?


That was his point. Web services incorrectly classifying the strength of user supplied passwords.


The labels ("strong", "weak") are ironic.


Agreed that password validation is the worst. (Github, I'm looking at you.)

Even worse than excessive validation is when they make you change your password often, for no apparent reason.

On some sites that do both (ahem Apple), the only way I can login if I haven't been there in awhile is the security questions or the password reset mechanism.


Wow, I never noticed that Github enforces password rules, as well (Must contain one lowercase letter, one number, and be at least 7 characters long.). My passwords are usually HMAC-based, so they'll most likely validate.


even validation of first & last names is usually awful. For instance many sites tell you that having a dash "-" in your first name is invalid... yet a lot of French (first or last) names contain that character..


Those who happen to own domain name and some small hosting plan with Cpanel can easily redirect all mail to that domain for specific email address. This way you can replace plus sign with dot that works everywhere.

And I've have my problems with short addresses before with Microsoft. http://answers.microsoft.com/en-us/windowslive/forum/liveid-...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: