Hacker News new | past | comments | ask | show | jobs | submit login

The password format <word><number><special char> is surely the most common password pattern that everyone seems to have independently adopted



It's not happening independently, it's cargo-culted. There's lots of "security advice" out there recommending doing exactly this.

Plus, if you're missing a requirement when trying to set your password, the easiest thing to do is just append the missing requirement at the end. Especially if it's punctuation, which naturally goes at the end of words/sentences anyway.


I've taken to using random passwords for signup and password reset for each login, since that's what password guidelines eventually force me to do anyway.


One of my huge pet peeves is when sites have really idiosyncratic password requirements, like they require the use of at least 1 punctuation characters (but it's from a limited subset of available punctuation characters), or uncommon requirements on length (I've seen both can't be longer than 10 characters and must be longer than 12).

And yet, none of these requirements are visible on the login page! So I have no freaking clue what my password might actually be, and thus my typical login flow for these lesser used accounts is always going through the password reset flow. It's a joke.


Actually this is interesting, I did this myself growing up. But I seem to remember that it arose because of slowly changing password requirements. Like I remember having a password in my teens for Myspace and other web services, and one day when signing up for a new service I was prompted with "your password must contain at least one number". So I just took the same old password and put a number on the end of it. Then a few years later the same thing happened with special characters: "Your password must contain at least one number and a special character". So then "okay, just tack a special character on to the password I already know" and voila <word><number><special char> is now my password.


My intuition also.

I can practically date my old passwords (for unimportant things) by this, and/or how many times I forgot it and had to set a new, unique password.


> Please select a password:

azalea

> Your password needs to contain a number and a special character.

azalea1!


Since many companies must follow the rules set by one compliancy or another and these have demanded passwords to contain 3 of the 4 different groups of characters AND require changing said passwords every 3 months, most employees have been trained to use a number scheme along the lines of:

<word> <special char> <number>

Whereby word & special character are set in stone (easy to remember) and the number just increments with every change.

If only there was a way to allow more flexible demands on passwords within MS AD, things would improve so much.

Password > 14 characters and NOT listed in Pwned Passwords == allow for passphrase to be used "forever"

Password < 14 characters OR listed in Pwned Passwords == demand (regular|immediate) change.

Very decent source for Pwned Passwords https://haveibeenpwned.com/Passwords


If you haven't, you need to watch this: https://www.youtube.com/watch?v=aHaBH4LqGsI

edit: title is "You Should Probably Change Your Password! | Michael McIntyre Netflix Special" if you prefer to search on youtube yourself


Or using popular quotes and phrases because they are long, they must be more secure.


ho shit, didn't think it would be so common




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: