Advertising rules for passwords #130
Comments
|
Really makes me think that maybe this is a good opportunity to add tests for privacy and security in biometric parameters for authentication/verification. |
|
A specific case worth checking: 1. Accommodation of various password manager generated max lengths. 2. Existence of max password length advertisement and handling of exceeding length on account creation error. A frequent point of frustration when using a password manager's generated passwords which often allow length of 99+ character passwords is generic error messages or inaccurate error messages to the cause of the error being the length of the password entered at account creation. Often the error message is generic "catch all" statement than specific to the password length and requires testing multiple passwords that use fewer number of character until the password is accepted. |
While working on some tests, @lingjief and I realized that the authentication system is missing an important check: if an authentication system advertises rules for creating a password, they rules should be:
Note: we should implement this quickly, before passwords go away forever.
The text was updated successfully, but these errors were encountered: