Reconsider your password validation

I am using 1Password, which is an extremely popular password manager, and the passwords it generates should be considered strong enough to be used in applications.

However, they are not always compatible with Last Epoch.

The first password it generated was this: .G)uLRTttXR6}X*wrn,:Xrrq which probably failed because there’s two consecutive 'r’s towards the end. Another one also failed but I couldn’t figure out why. It worked on the third try.

Rules such as “no consecutive characters” are arbitrary and not an effective way to realistically make a password more secure. Please try to keep it simple, or use a library that uses entropy calculators to check a password’s strength. Home grown validators like you guys are using just make for a horrible user experience, and create the illusion of security, rather than actual security.

Edit: I rechecked and the rule is three consecutive characters, and for some reason it’s the } symbol that caused the validation to fail, which makes even less sense.

Thanks!

1 Like

I didn’t even know about the consecutive letters rule, but I don’t see how that would make a password less secure unless it was only a single letter repeated. Mathematically, having one less possible input with that rule makes them definitively less secure, actually (just not by enough margin anyone is likely to notice or care).

Agreed.
The bigger problem is that it almost made me give up on using the random generator, to make a custom - inevitably weaker- password instead.

Also, the UI told me that password validation failed, but not specifically which validation rule failed.

1 Like

I think this is easily corrected and should be ASAP.

That prompted me to recheck and I was wrong, the rule is three consecutive characters. So that wasn’t the problem here. It’s the fact that the password contains an }, which for some reason is considered invalid. It really shouldn’t matter what characters you’re using since they’re supposed to be hashed. This one’s even an ASCII character so about as basic as they come.

Kind of proves my point that they need to tell you what caused the validation to fail :wink:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.