HN is very different from an e-commerce site. If you are giving your credit card information over to a site, and especially if that site saves cc info, then you should be pretty sure that the site is securely storing your data, because now it's more than just an HN user account you're potentially losing-- it's real money, identity theft, etc.
Not having a password creation rule is just one heuristic that I have started to use to indicate poor security.
I still don't really get it. If a user keeps their CC hooked into an e-commerce site behind an account with a four-character password, how does that compromise the security of the actual system and not just that user's own data (including the credit card they willingly put into an account with a simple password)?
Users should be responsible for their own passwords in my opinion, I don't see what value we get out of making normal, non-admin accounts use long passwords. Is a six or eight character minimum really going to matter to anyone? If they can crack your four character alphabetic lowercase password, they can crack your eight character alphabetic lowercase password.
I just see no reason from an application security perspective to enforce password minimums.
Sure, outside of some small information gain about which hashing/salting algorithm you're using-- which is usually known to the attacker anyway-- there is no real risk to the rest of the users.
I just disagree that each user should be responsible for their own security on sites that store critical information but are used by technologically naive customers. There are better rules that can be enforced than just password minimums, and they will make it harder to crack the password. Even if they continue to choose a relatively weak password, given a decent creation rule set (e.g., 8 characters, an uppercase, a digit, and a special character) it will at least make the attacker go from milliseconds to hours. If you have a large enough userbase, and each account is salted, then you may actually have herd immunity for those weaker passwords, since the attacker now has to spend hours per account.
Right, so you admit that there is no actual bearing on the security of the overall application, just individual user accounts. I think that's worth clarifying.
I don't like sites that make me use a "special character" very much because they break my automated alphanumeric password generation scheme. I store these passwords in an encrypted container that I reference whenever I want to use the site. The passwords I use are always huge, but I leave punctuation out for convenience in selecting the text with double-click. :) I think that my alphanumeric mixed-case very long passwords are safe enough without requiring punctuation.
I also occasionally run into length limits on passwords which I'm sure we all agree is silly. But encouraging enforcement of complexity standards somehow seems to make some people think they can place arbitrary limits for the convenience of their VARCHAR() fields or something.
People will either use a password they can remember or reset their password every time they go to your site, which will not only make it really annoying to use your site but also doesn't do much good anyway since the password is then behind their weakly-passworded email account.
I understand that exposing this information allows an attacker to know more about my potential passwords and maybe to enhance his ability to crack them. I'm not really worried about anyone doing that and I'm confident that the information I provided isn't a total giveaway. ;)
Not having a password creation rule is just one heuristic that I have started to use to indicate poor security.