password requirements
The password requirements are truly insane for the average user. I shouldn't need a password so secure that it'd take years to *****, I need a password I can remember. This is a streaming site.
If a streamer wants a super secure password, they can make that themselves, but imposing insane guidelines on people who just want to follow a few people is super annoying.
-
sf_nadim commented
7Ü{.42òÛ¡HËÖö¢h@~LøßïÌtv±~ÀzÁö²Óè`ç¿5KJ{PKÃ>±5¶èÐróU¥Ü&UÊ¿Ñ&Ù$¾ü§¤%ÙÕzdQ\¨ü(m·"±U{ÀÌ[£ØªÕ¹rf¡a²·g®×"=*K»'î¥ÆtZTgSØävïïsаÁp°¸ÚàÒ
this password is too easy to guess. I think twitch has a super quantum computer or something
-
big0304 commented
been trying change my pass for hours wtf !(@#!@*(#(usiajfo isnt even strong enough?
-
banana_2048 commented
I spent 10 to 20 minutes changing password or some **** EVERYTIME! I am leaving and will never try to login to this website anymore!
-
nonchalantpartisan commented
Twitch is trash now, leave.
-
Nomonuies commented
I am glad I'm not alone in thinking that your STREAMING website has insane password requirements, guaranteeing that I will never remember it and will have to go through this asinine process every single time I have to log in. Ease up, you're not the military, a missile silo or a nuclear power plant.
-
Undeference commented
There are currently very many suggestions related to issues with password rules. The purpose of this suggestion is to supersede those complaints by recommending that Twitch specifically adopt the recommendations in NIST Special Publication 800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html>.
The purpose is to not have any rules that make users jump through hoops without improving security. Specific recommendations include:
* Passwords should be at least 8 characters long and there should be no arbitrary maximum length (at least up to 64 characters)
* There should be no composition rules (e.g., rules like "must include a mix of letters and numbers")
* Ban passwords from previous breaches or that are trivially derived from common or easily guessable words or phrases
* Do not provide password hints
* Do no "knowledge-based" authentication (e.g., "mother's maiden name")
* Do not expire passwords without a reason
* Do not use SMS as a second factor for authentication (but any second factor is better than none)---
Selected quotes from appendix A:
"Humans… have only a limited ability to memorize complex, arbitrary secrets… online services have introduced… which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe."
"Password length has been found to be a primary factor in characterizing password strength… Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes."
"Research has shown… that users respond in very predictable ways to the requirements imposed by composition rules"
"Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases, the special characters that are not accepted might be an effort to avoid attacks like SQL injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases.""it is recommended that passwords chosen by users be compared against a [BANNED PHRASE] of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose."
"Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as [BANNED PHRASE], secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed."
-
TheKingLyric commented
I want to change my password to something specific, twitch won't let me because it's too weak and it's annoying me. Can you let me set it to my password even if it's weak?
-
Krenchrchash commented
This MUST be changed. This is absolutely insane.
-
jleonard4421 commented
Agreed, trying to get the 2 people I know that are on here to go to another streaming site, as I need to reset my password every time I want to log in. We don't all need DoD approved passwords to watch someone play a game. Never seen anything like it before.
-
ddza81998 commented
If you use twitch on 2 different devices, this is crazy, i can't remember the password, so I request a new. Now i'm gettin a message that I have requested too many password resets, no sh*t, make your password requirements more consistent with THE REST OF THE INTERNET
-
yardstones commented
Youre Idea of how a password is absurd, now way I will ever remember a password thaty lives up to youre ******* ridiculous standards.
I created this password just to be able to write this. tomorrow I will not remember.......
Do you not realise that if someone want to hack they use a computer to rng passwords??? -
mrmuyou commented
Is totally ridiculous, why you think hacker need my worthless twitch password?
If I have a 20+ character password, is it absolutely safe?
Why can't it be more convenient?WE DON'T MUST HAVE 20+ CHARACTER PASSWORD!!!
-
thatboijaden7 commented
You think that’s bad, I tried to make an account using an e mail i already used, forgot and couldn’t recover the account, and it messed up then when I tried my new e mail i kept getting “your are creating to many new accounts to quickly” message, holy **** twitch why is your sign up process so ******* ********
-
clownpuncher_ commented
You morons are telling me that a 10 character password that contains no dictionary words is not usable and I can't change it. ********. If you idiots had anything but *************** you wouldn't be responsible for a massive data breach already. Stupid ******* ********.
-
Keula_ commented
If I just type random lower/upper case letters and symbols/numbers It goes from strong to weak when over like 20-30 letters. Meanwhile type 1 random word with 1 number/uppercase in the middle and its strong... How does that make any sense?
-
SisterRads commented
This code is buggy as ****. I don't think the requirements are being implemented as planned at all!
Tried a password of 12 characters with upper, lower, symbols and number and no recognisable words. This was weak. Shortened it with a simple word in the password, deemed strong. Added any of the letters a, e, y or o to that "strong" password and it became weak. None of the additions created a common word to make it weaker. Played around with my original password, switching an infrequently used symbol for a more frequently used one and suddenly it's strong. Don't bother making something super long you won't forget, it will accept 8 characters, just switch out some letters or symbols as it seems confused by what may or may not be strong. And apparently end on a consonant!
-
PvPRunner commented
How about you stop telling me what passwords I can and can't have and maybe secure your own data properly.
-
Squiddicus commented
So you say my password is strong. I then go to change my password AFTER A MAJOR SECURITY BREECH, and I get refused saying "my password isn't complex enough." Well, maybe I could make a complex password if you actually showed the stipulations I am required. My only recourse at this point is to make a random password that I will not remember.
-
Teyek commented
33 chars long with upper and lower case.. weak.
Really?
And what were you using when you got hacked forcing us to change our passwords in the first place? Whatever it was I assume it was even stronger.. and it didnt prevent you from being hacked, so how about letting us use standard passwords, especially when we have 2FA. ****, not even my banks require this level of passwords. Who do you think you are?? -
linuxas98 commented
Tried creating account for 3 days, and gave up 2 times purely because I didn't want to go through all that password strength BS to just get an account. Twitch can you explain how tf does adding more characters to the password makes it weaker. At 10 characters, I got "Fair" and adding more made it weaker than "Weak". I guess I will be sticking to any password that atleast fits your "Fair" category, until I need to login somewhere.