Hacker News new | past | comments | ask | show | jobs | submit login

> So attackers cannot password spray.

My password's not crackable, so it's annoying to be lumped in to that. I'd happily use a service-generated password to avoid login hassles.




I imagine what you are proposing then is to record the entropy on the password when you first register and for accounts with sufficient password entropy to not ask for a captcha after few failed attempts.

With that, the site gives away whether the account has a low entropy password or not.


> I imagine what you are proposing then is to record the entropy on the password

Or just generate secure high-entropy passwords and force users to use them.

Making users look up SMS codes before each login is acceptable. Making them solve obnoxious, long, privacy-hostile riddles is acceptable. But forcing them to use pre-generated secure passwords?! That can't possibly work. They will revolt!


> With that, the site gives away whether the account has a low entropy password or not.

Sure, why not? Way more than half of passwords are low-entropy, so that doesn't meaningfully help them focus attacks.

And they still have to keep solving captchas to make those attempts.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: