[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Michael Kjörling michael at kjorling.se
Mon Apr 3 04:25:51 EDT 2017


On 2 Apr 2017 15:17 -0400, from kevin.w.wall at gmail.com (Kevin W. Wall):
> (And there are ways
> using JavaScript in web forms, to prevent it from being
> pasted in in the password confirmation field.)

Which has/have a tendency to break legitimate workflows, including
non-automated usage of a password manager. I copy and paste usernames
and passwords from my password manager into the web browser all the
time, in part because I don't quite trust automation to always get it
correct. At least if I mess up myself, I know (or am able to figure
out quickly) which two accounts are involved and can go change those
passwords without having to guess too much.

If pasting into password fields is broken, I will have to choose a far
less secure password, because really, there is no way I'm going to
type a 50+ upper/lower/digits/symbols/hieroglyphs password manually
every time. Either that, or I go with a competing service. (Yes, I
_know_ that 50+ is overkill, but I'm already using a password manager,
so why not add a decent safety margin? It's not like it makes it any
harder.)

Please don't ever encourage breaking standard workflows, including
copy and paste.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the cryptography mailing list