Are you a programmer? Do you want to create a *login* registration form? Do you want it to be good?


#1
Then FUCK SECURITY QUESTIONS, DAMN!

Also fuck those password requirements!

And fuck the whole form, in fact. Use some openAuthID already, such as google, twitter or even freaking facebook, for fucking sake!


Security questions are the *easiest* ways to make a security flaw. Apple learned it the hard way. All you need is gather a little info from your prey. The people who are most likely to get hacked will be easier targets with this bullshit.

Password requirements, such as "at least one number, one capital letter and one non alphanumeric character" are like "security" doors in banks or metal detectors in airports. They are only an annoyance theater. The only requirement you should ever ask is "type in at least 16 characters" but, even that, fuck it. If the person wants to have a weak password, fuck them! If it's a "poor" old person, fuck them!

Fuck. Tell them to go learn to live a little and quit whining. Close the telephone support doors (Google) or make it long lines (Apple).


Mother fuckers!
You want to alert them? Then ALERT THEM! Do not REQUIRE everyone to do as you please. Make a popup "YOUR PASSWORD IS PROBABLY INSECURE - PLEASE TYPE IN AT LEAST 16 LETTERS" or something.

If you HAVE to make that form, if someone is pointing a gun to your head and telling you "MAKE A FREAKING LOGIN FORM", then do it properly. It's not that hard.

But it would be better if right after that, you get a gun back to that someone and say "I WILL NOW USE OPENID, FUCKER", and delete the whole thing.
This is a companion discussion topic for the original entry at http://www.cregox.com/blog/2014/05/are-you-programmer-do-you-want-to.html

What does public sex and smartphones have in common?
Passwords
#2

follow up:

the whole idea in this post was to favor oAuth and openID (I did mix both there unwillingly) and completely drop the password reminders along with all the weak ideas around authentication. one of them was the password strength.

so, this really changes nothing on the whole idea here, but it sure shed some light on the xkcd relevant mention there. specially on mobile, asking even for passwords is stupid as fuck.