The ridiculous password requirements need to stop. I will never remember my 20+ character password.
Twitch requires the most insane password strength I've ever seen. I've had accounts with banks, insurers, court systems and other state/federal government websites, and yours is the only one I will never remember. You're a streaming site. It's not like you're handing out nukes.
Literally all I (and millions of others) want to do is watch streamers and comment occasionally. If the security is this high for streamers, who have jobs and contracts surrounding twitch, then fine. But I think you'd make a lot of people happy by making two separate account types, with different levels of security measures. One for users who will stream, and ones for viewers that will never stream. The latter will be thankful you've made the change, I'm nowhere near the first person to complain, and it's a very stupid reason to lose viewers/users/potential paying customers etc.
been trying change my pass for hours wtf !(@#!@*(#(usiajfo isnt even strong enough?
I spent 10 to 20 minutes changing password or some **** EVERYTIME! I am leaving and will never try to login to this website anymore!
Twitch is trash now, leave.
I am glad I'm not alone in thinking that your STREAMING website has insane password requirements, guaranteeing that I will never remember it and will have to go through this asinine process every single time I have to log in. Ease up, you're not the military, a missile silo or a nuclear power plant.
There are currently very many suggestions related to issues with password rules. The purpose of this suggestion is to supersede those complaints by recommending that Twitch specifically adopt the recommendations in NIST Special Publication 800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html>.
The purpose is to not have any rules that make users jump through hoops without improving security. Specific recommendations include:
* Passwords should be at least 8 characters long and there should be no arbitrary maximum length (at least up to 64 characters)
* There should be no composition rules (e.g., rules like "must include a mix of letters and numbers")
* Ban passwords from previous breaches or that are trivially derived from common or easily guessable words or phrases
* Do not provide password hints
* Do no "knowledge-based" authentication (e.g., "mother's maiden name")
* Do not expire passwords without a reason
* Do not use SMS as a second factor for authentication (but any second factor is better than none)
Selected quotes from appendix A:
"Humans… have only a limited ability to memorize complex, arbitrary secrets… online services have introduced… which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe."
"Password length has been found to be a primary factor in characterizing password strength… Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes."
"Research has shown… that users respond in very predictable ways to the requirements imposed by composition rules"
"Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases, the special characters that are not accepted might be an effort to avoid attacks like SQL injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases."
"it is recommended that passwords chosen by users be compared against a [BANNED PHRASE] of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose."
"Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as [BANNED PHRASE], secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed."
I want to change my password to something specific, twitch won't let me because it's too weak and it's annoying me. Can you let me set it to my password even if it's weak?
This MUST be changed. This is absolutely insane.
Agreed, trying to get the 2 people I know that are on here to go to another streaming site, as I need to reset my password every time I want to log in. We don't all need DoD approved passwords to watch someone play a game. Never seen anything like it before.
If you use twitch on 2 different devices, this is crazy, i can't remember the password, so I request a new. Now i'm gettin a message that I have requested too many password resets, no sh*t, make your password requirements more consistent with THE REST OF THE INTERNET
Youre Idea of how a password is absurd, now way I will ever remember a password thaty lives up to youre ******* ridiculous standards.
I created this password just to be able to write this. tomorrow I will not remember.......
Do you not realise that if someone want to hack they use a computer to rng passwords???
Is totally ridiculous, why you think hacker need my worthless twitch password？
If I have a 20+ character password, is it absolutely safe?
Why can't it be more convenient？
WE DON'T MUST HAVE 20+ CHARACTER PASSWORD!!!
You think that’s bad, I tried to make an account using an e mail i already used, forgot and couldn’t recover the account, and it messed up then when I tried my new e mail i kept getting “your are creating to many new accounts to quickly” message, holy **** twitch why is your sign up process so ******* ********
You morons are telling me that a 10 character password that contains no dictionary words is not usable and I can't change it. ********. If you idiots had anything but *************** you wouldn't be responsible for a massive data breach already. Stupid ******* ********.
If I just type random lower/upper case letters and symbols/numbers It goes from strong to weak when over like 20-30 letters. Meanwhile type 1 random word with 1 number/uppercase in the middle and its strong... How does that make any sense?
This code is buggy as ****. I don't think the requirements are being implemented as planned at all!
Tried a password of 12 characters with upper, lower, symbols and number and no recognisable words. This was weak. Shortened it with a simple word in the password, deemed strong. Added any of the letters a, e, y or o to that "strong" password and it became weak. None of the additions created a common word to make it weaker. Played around with my original password, switching an infrequently used symbol for a more frequently used one and suddenly it's strong. Don't bother making something super long you won't forget, it will accept 8 characters, just switch out some letters or symbols as it seems confused by what may or may not be strong. And apparently end on a consonant!
How about you stop telling me what passwords I can and can't have and maybe secure your own data properly.
So you say my password is strong. I then go to change my password AFTER A MAJOR SECURITY BREECH, and I get refused saying "my password isn't complex enough." Well, maybe I could make a complex password if you actually showed the stipulations I am required. My only recourse at this point is to make a random password that I will not remember.
33 chars long with upper and lower case.. weak.
And what were you using when you got hacked forcing us to change our passwords in the first place? Whatever it was I assume it was even stronger.. and it didnt prevent you from being hacked, so how about letting us use standard passwords, especially when we have 2FA. ****, not even my banks require this level of passwords. Who do you think you are??
Tried creating account for 3 days, and gave up 2 times purely because I didn't want to go through all that password strength BS to just get an account. Twitch can you explain how tf does adding more characters to the password makes it weaker. At 10 characters, I got "Fair" and adding more made it weaker than "Weak". I guess I will be sticking to any password that atleast fits your "Fair" category, until I need to login somewhere.
The requirement is way more than my 2 banks (8 chars, all lower case).
Twitch might respond, "Well just use a password manager!" to which I would respond:
"Twitch users view streams from tablets, TVs, cell phones which don't have password managers. And if you used a public PC to login to twitch you are screwed."
Fix your "Reset password" page (using Chrome browser). When we type in an 11 symbol password (all lower-case, alpha-numeric, special characters) and it says "Strong" in GREEN TEXT, what does that tell the UX or UI? That indicates to the user experience the password entered is acceptable. Fix your UX. I just spent 30 minutes trying 11, 13, 15, 17 and 20 character (upper, lower case, digits, special symbols) all of which say "Strong" in GREEN TEXT yet it won't accept it when clicking "Set Password".
When making a new account about a year ago I noticed if you simply include a "space symbol" somewhere in the middle you only need a tiny length like 8-12. Yet 25 symbols of gibberish wouldn't be accepted that didn't include a space symbol.
And after writing the above paragraph I tried adding a single space somewhere in the middle of my 20 length password and it finally worked. At least now my pass is SOMEWHAT memorable (riiiight).