Password complexity requirements - ABSURD

Answered

The new password complexity requirements you have for Jetbrains accounts are complete insanity.

 

7 comments
Comment actions Permalink
Official comment

Hello,

Thank you for reaching out.

Our password complexity requirements are currently based on OWASP (Open Web Application Security Project) recommendations related to password authentication: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls.

There is the following recommendation in particular:

Include password strength meter to help users create a more complex password and block common and previously breached passwords.
- zxcvbn library can be used for this purpose.

We use the zxcvbn library to ensure that the password's entropy is enough because such an approach can be considered one of the industry best-practices. 

Comment actions Permalink

One of the worst possible user experiences you could possibly create. This anti-user behavior deserves to face loss in sales. Your account abandonment (and proxy, shopping cart abandonment) rate rightfully so should go through the roof.

0
Comment actions Permalink

Thank you for your feedback. 

We're sorry to hear that you had such an experience with our portal.

Unfortunately, your comment does not contain some suggestions and password examples that you would like to use, but the portal does not let you go.

Please describe in more detail and share your thought about improving the portal and your ideas about the password complexity with some examples.

0
Comment actions Permalink

Eliminate passwords entirely. Your service has no justification to be an identity provider.

0
Comment actions Permalink

Well, our portal contains customers' private data, which is quite sensitive and most of our customers want to keep it safe. Unfortunately, you have not provided details and some password examples. 

I can discuss with our security team what can be done about the password complexity, but I wanna hear your suggestions and examples to be able to do so.

0
Comment actions Permalink

I didn't say eliminate security. You just should have no place in authentication.

0
Comment actions Permalink

We're working on a feature to give our customers a more flexible way to sign in, such as authentication to JetBrains Account via 3rd party providers (Google, Facebook, Github, etc.).

Could you please clarify that it would be more convenient and user-friendly for you to have that feature or mean another point to consider?

0

Please sign in to leave a comment.