Don't force the user to use a "secure" passphrase

[damnms]

Is your suggestion related to a problem? Please describe.
When i click on "set up" for encrypted communication in riot web, it asks me a password.
When i enter my password (12 chars, upper/lower case, special chars) it says "keep going".

Describe the solution you'd like
Inform the user that the password MIGHT be insecure. But let him process anyway.

Describe alternatives you've considered
Just dont "verify" a password. see https://xkcd.com/936/

Additional context

[t3chguy]

password is the thing you log in with
passphrase is the thing you unlock your secrets with

[t3chguy]

matrix-org/matrix-spec-proposals#2000 deals with removing the mismatched password security

[damnms]

thanks, then i mean passphrase.

[35609902357]

Users should have no right of endangering all their recipients by choosing a weak passphrase

[damnms]

by choosing a weak passphrase

i guess you are a troll. otherwise you would understood the xkcd i posted which explains you, why the algorithm which is in use is broken.
furthermore, forcing people to use the kind of password YOU prefer, is a very bad practice. also see https://uxplanet.org/why-complex-passwords-are-bad-design-and-5-ways-to-do-better-affcc4516406

if you decide to drive a small vehicle, it is up to you if you get crashed by a 3t SUV which breakes every bone in an accident. or do you want to forbid the people to use small cars?

[35609902357]

Your insult doesn't surprise me since your discussing capabilities are limited to such idiotic statements as the car comparison, which is not apt in any possible way to the discussion. And I will be so kind not to comment on the embarrassing link you posted (for those who want to save a click, the author argues password managers are bad and logging in via Facebook APIs is good). I will instead let you answer yourself.

forcing people to use the kind of password YOU prefer, is a very bad practice

That's why your suggestion to lower security standards is silly.

[damnms]

i never said that the security should be lowered. i said: dont force the user to any password rule, except maybe the length. the user should be able to decide himself if he wants to use a low quality password or a "high end" password. it is the responsibility of the user, not yours.

the author argues password managers are bad and logging in via Facebook APIs is good

no idea which article you read, but for sure not the one i mentioned. the author argues that he would probably go with a password manager (like i do).
and he also does only MENTION that if its not required to use your own authentication to think about to go with the one of amazon, facebook, whatever provider.

i use keepassx and the password which was chosen (12 chars, upper/lower/digits/special chars) was NOT enough. thats why i was complaining.

That's why your suggestion to lower security standards is silly.
i never said to lower security standards. i said give the user the responsibility/freedom back.

when i change my root password to "abc" i get a complaint/hint, when i enter "abc" again, it is set to abc because thats what i want. period. no matter how insecure that is.

if you need a nanny for everything, then it is your thing. but please stop infantilizing people.

ps.: english it not my native language, i hope you understand what i mean.

[35609902357]

I will cut it short and in simple English so hopefully you will understand fully. You are asking lower security standards for everyone, without even providing a valid reason for it. Since you said you use a password manager you can create a strong password effortlessly. So there are two possibilities here:

1. this is just a whim
2. some of your contacts complained about the necessity of using a strong passphrase, in which case it's the perfect opportunity to educate them about good security practices.

In both cases you provide the perfect answer once again

if you need a nanny for everything, then it is your thing.

[damnms]

lower security standards for everyone

No. one more time. I would like to have more flexibility/freedom. If a user wants a 4k chars passphrase with all kind of cryptic chars, thats fine for him - he can have a, in your opinion, super special super duper strong passphrase. he has maximum security, no lowering in security standards for others!
If a user is happy with a 12 char passphrase with upper/lower/digits/special chars (like i do), then that is enough too.

when i type in "idontwanttod", than thats enough, but 12 chars with mixed chars is not. wth?
when i use "langespassword", it is not enough, eh?

to educate them about good security practices

this complete topic is not about the security aspect, it is about freedom of choice. when i want a passphrase like "password", than this should be my decision. i am fine with a warning, but aborting the process resp. not starting it is simply wrong.

this reminds me to:
Hell is paved with good intentions

[t3chguy]

I guess the bit being alluded to here is by you choosing a weaker password you are the weakest link in the security chain and thus weaking the security for all your peers.

[damnms]

1. Explain why they need secure passwords
   We should explain our users why they need secure passwords. Passwords will protect users’ privacy and prevent identity theft. So, why shouldn’t we tell this the user? Obviously, a course about passwords is overdone, but you could offer a “Why do I have to do this“ button, just like Gmail does.

this is from the link i posted above.
what is the exact/concrete risk that introduces when i use a passphrase like "123!blahra" (which is displayed as not being secure enough)?

[35609902357]

There's nothing to add to what @t3chguy said. If you still don't understand maybe you don't want to. Happy to see Matrix team taking sane decisions.

[damnms]

@35609902357
could you stop spamming this thread? thanks.

you posted in this thread https://github.com/vector-im/riot-web/issues/8751 that it should be better documented, "effort should be addressed toward ease of use, easy and pleasant first time wizard with clear options and easy to use default values, with the possibility for power users to choose more advanced options, and pleasant UI". now, when i say "this should be better documented" it is insane? lol, this is ridiculous.

Then yes, it makes sense passphrases should stay, but should be explained better to make as clear as possible the risks stemming from a weak passphrase, and above all the fact that providing the passphrase itself is not mandatory, nor added security and that it means the recovery key will touch the server if provided.

If you still don't understand maybe you don't want to.

the problem is: if i dont understand, there are probably many others that dont understand too.
if you are too stuck-up to explain whats the exact problem, then dont tell others that they dont want to understand.

and maybe you should stop lying ("the author argues password managers are bad and logging in via Facebook APIs is good" - he said none of that). thats a bad habit.
anyway, you are now the first person on my blocked user list. congratulations!

[brandonrobertz]

IMO this needs to be a toggle in a config somewhere. For just testing and getting non-technical people online, forcing them to use a password manager is a hurdle to adoption. Most matrix server implementations have lock out periods for failed attempts which makes brute forcing weak passwords impractical. Secure by default with a toggle in the config would be my vote if I got one.

[rltas]

The only requirement I see is that the passphrase has sufficient length, which is precisely what that xkcd is about. So either there has been a change to the policy since the issue was created, or the creator didn't get it. Not vetoing a config option to define the minimum length, but I'd create a new issue for that because this is one, quite frankly, stupid.