{"id":8632,"date":"2017-01-10T07:20:48","date_gmt":"2017-01-10T12:20:48","guid":{"rendered":"https:\/\/www.ezrasf.com\/wplog\/?p=8632"},"modified":"2017-01-09T10:00:17","modified_gmt":"2017-01-09T15:00:17","slug":"lastpass-feature-request","status":"publish","type":"post","link":"https:\/\/www.ezrasf.com\/wplog\/2017\/01\/10\/lastpass-feature-request\/","title":{"rendered":"LastPass feature request"},"content":{"rendered":"
\"Ghost<\/a>
Ghost in the Shell Laughing Man shirt<\/figcaption><\/figure>\n

There is no enforced standard for passwords for a web site, so they can be all over the place for requirements. Nor do sites typically explain what are the exact standards before a failure. And then\u00c2\u00a0most will state the minimum and types of characters. But, too many\u00c2\u00a0leave out the maximum number of characters allowed so I end up experimenting to figure out something as strong as I can get. One of my favorite blogs is\u00c2\u00a0Password Requirements Shaming<\/a>.<\/p>\n

Web sites almost certainly record the password to a variable. Hopefully they then encrypt it and store the hash instead of recording the password as plain text. I use LastPass’ password generator to create something typically 40 characters [1<\/a>] long and try it. Almost always that results in an error that my password\u00c2\u00a0is too long and the limit is actually something shorter. There are some frustrations with how sites handle these cases:<\/p>\n

    \n
  1. It would be nice if more sites would\u00c2\u00a0look at the passwords with JavaScript and report if it is too long or too short or have bad characters or do not match both locations. Very rarely do they check that it is too long. Most just check that they match. Letting me know before I submit it, keeps me from wasting my time.<\/li>\n
  2. In HTML, maxlength<\/a> defines how many characters\u00c2\u00a0the input\u00c2\u00a0element will accept. I sometimes look at the HTML to select what password length to generate, but there is no guarantee that\u00c2\u00a0the maxlength is reflective of what will work. It fails to help so much I have gotten out of the habit.<\/li>\n<\/ol>\n

    Arbitrariness with password policies probably makes people tend to more insecure practices through simplification. This is The Paradox of Choice<\/em><\/a>.<\/p>\n

    It occurred to me that LastPass developers could solve this problem for me. If LastPass\u00c2\u00a0knew the password requirements\u00c2\u00a0for a site, then it could preset\u00c2\u00a0the generator to the maximum length that will fit. When I go to create a password for a site, then it could work the first time instead of taking 2-5 tries to find something that finally works.\u00c2\u00a0Most users are lazy and would not change the preset, so passwords would tend to be the stronger. [2<\/a>]<\/p>\n

    Admittedly, it usually works on the second try once I’ve nailed down the maximum number of characters allowed.<\/p>\n

    <\/a>[1] Originally I would try 50 characters, but I eventually relaxed that down a bit. Occasionally, I go through brief periods where I just try 30 or 32.<\/p>\n

    <\/a>[2] See\u00c2\u00a0Nudge: Improving Decisions About Health, Wealth, and Happiness<\/em><\/a> for how organ donation rates work for how t his would work.<\/p>\n","protected":false},"excerpt":{"rendered":"

    There is no enforced standard for passwords for a web site, so they can be all over the place for requirements. Nor do sites typically explain what are the exact standards before a failure. And then\u00c2\u00a0most will state the minimum and types of characters. But, too many\u00c2\u00a0leave out the maximum number of characters allowed so […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1198],"tags":[114,3249,1013,3248,2355,3250,1752],"class_list":["post-8632","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-javascript","tag-lastpass","tag-password","tag-password-policy","tag-plain-text","tag-random-password-generator","tag-standards"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1rUBW-2fe","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/comments?post=8632"}],"version-history":[{"count":0,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8632\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/media?parent=8632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/categories?post=8632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/tags?post=8632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}