EDIT: Upon registration "Password must contain 1 number, 1 uppercase letters, 1 lowercase letters, 1 non-alpha numeric number, 8-16 characters with no space."
Not sure if that's a Matrix limitation or just javascript validation, but if it's on your end please don't do that... if anything you're enforcing less secure passwords.
Technically yes, but the fact that SPAs require explicit and extra code/configuration to make them work when this functionality (url nav) is a works-by-default inherent part of the web's core design makes them arguably broken by design.
Note, some of that is a requirement by the Matrix protocol and is out of clients control. It's ultimately up to the server to configure different password requirements.
> Clients SHOULD enforce that the password provided is suitably complex. The password SHOULD include a lower-case letter, an upper-case letter, a number and a symbol and be at a minimum 8 characters in length. Servers MAY reject weak passwords with an error code M_WEAK_PASSWORD.
While it can, my opinion is the client and server should not enforce anything about password strength, but MAY warn the user about weak passwords.
The criteria that I think would be acceptable to be enforced includes:
- A maximum (not a minimum) length, which must be suitably long, perhaps 200 bytes (or longer).
- Rejecting passwords containing null bytes.
- Rejecting passwords containing sequences of bytes that cannot be transmitted using the protocol, if it is necessary to transmit the password using the protocol at all (which it might not be, since it might use a hash instead). (This depends on the protocol.)
- If despite the advice above, the client knows that the server will reject other passwords too, and knows precisely what the criteria are, the client can reject the same passwords.
Examples of some things that should be allowed (and should not be rejected) include:
- Passwords that are short.
- Passwords that include your username as a substring.
- Character classes/lack of character classes (e.g. you should not require nor prohibit punctuation).
- Control characters (if not causing problems with the protocol like mentioned above).
- Invalid UTF-8 sequences.
(Just because they are allowed though, does not necessarily mean that they should be recommended.)
Also, passwords should always be case-sensitive.
The user should decide by themself what password they want to set, although it is OK to include advice that is optional.
Not to be overly pedantic, but SHOULD is not a requirement according to https://www.ietf.org/rfc/rfc2119.txt, but a recommendation that should be fully understood before making a different decision. I fully agree that it should be a different measure of complexity though!
As a side-note, I wish I could give lastpass a regex or pattern or something to check auto-generate guesses against (it would be great to have a [trusted] library of these, too). I often end up regenerating or tweaking my auto generate settings a few times for every new account I create to get around this stuff.
Password managers are great until you need to log in on someone else’s machine. Especially when you don’t have your device on you. It’s bitten me before.
If you have hundreds of unique passwords, I don't see an alternative unless you're a savant or use predictable patterns. But that doesn't mean there aren't ways to get around it. For one, using a password manager shouldn't stop you from remembering your most important passwords, especially those you expect to use in other people's machines. You can take some extra care to make these important passwords easy to remember while still being secure. I could go on but everything I'd say is quite obvious.
As for the other requirements, it's just a matter of enabling various options in your password manager's generator. And if you're not using a password manager, it's very probable you're using/reusing insecure passwords.
I think that maximum 16 characters is way too short. Perhaps 127 bytes might be a suitable maximum, although it should be more if possible. (This does not mean that you are required to enter a password of at least that length; it is only the maximum length, not the minimum length.)
__________
EDIT: Upon registration "Password must contain 1 number, 1 uppercase letters, 1 lowercase letters, 1 non-alpha numeric number, 8-16 characters with no space."
Not sure if that's a Matrix limitation or just javascript validation, but if it's on your end please don't do that... if anything you're enforcing less secure passwords.
__________
EDIT 2: Hitting reload on https://app.cinny.in/register leads to a 404