Comment by someotheracct7
10 years ago
Would love it if there were some kind of markup standard that password managers could read to determine the site's password rules when generating strong passwords.
I have the problem now with sites that don't tell you their password policy - I'll try several times to generate a password in LastPass and then end up with several entries for the same site, which I now need to inspect to determine which one is the one I don't want to delete. Hugely annoying.
I would love it if there were FCC-mandated password handling standards, like a (long) minimum max length, a (wide) mimimum permissible charset, and forbidden plaintext storage. It's arguably an issue of national security.
(Or some other appropriate regulatory agency).
Jurisdiction over which agency gets to do "cyber" stuff has been an open question for the last thirty years. You can make good arguments that it should be covered by the FBI, NSA, DHS, ATF, the secret service, etc etc.
(Yes, the Secret Service! The famous raid on Steve Jackson Games back in 1990 was actually carried out by Secret Service agents, who thought that GURPS Cyberpunk was an actual hacking manual.)
There sort of is. In HTML5, text-based form elements have a new "pattern" attribute which takes a regular expression that matches valid input, so the browser can do client-side validation without using JavaScript to intercept the form before it's posted and such. Assuming the site developers have bothered to implement it on their site, then theoretically a password manager could use that to determine valid characters for generated passwords (or, at least, invalid ones). I don't know if any of them actually do this, though.
http://www.w3.org/wiki/HTML/Elements/input/password
The thing is, how many sites are going to have developers clued-up enough to incorporate this markup, but not clued-up enough to avoid stupid password policies that break password managers?
We only run into trouble because sites incorporate silly requirements like "you must have at least one symbol, even if your password is 48 characters long." Fixing that really seems like the better and more attainable goal.