EDIT: Upon registration "Password must contain 1 number, 1 uppercase letters, 1 lowercase letters, 1 non-alpha numeric number, 8-16 characters with no space."
Not sure if that's a Matrix limitation or just javascript validation, but if it's on your end please don't do that... if anything you're enforcing less secure passwords.
Technically yes, but the fact that SPAs require explicit and extra code/configuration to make them work when this functionality (url nav) is a works-by-default inherent part of the web's core design makes them arguably broken by design.
Note, some of that is a requirement by the Matrix protocol and is out of clients control. It's ultimately up to the server to configure different password requirements.
> Clients SHOULD enforce that the password provided is suitably complex. The password SHOULD include a lower-case letter, an upper-case letter, a number and a symbol and be at a minimum 8 characters in length. Servers MAY reject weak passwords with an error code M_WEAK_PASSWORD.
While it can, my opinion is the client and server should not enforce anything about password strength, but MAY warn the user about weak passwords.
The criteria that I think would be acceptable to be enforced includes:
- A maximum (not a minimum) length, which must be suitably long, perhaps 200 bytes (or longer).
- Rejecting passwords containing null bytes.
- Rejecting passwords containing sequences of bytes that cannot be transmitted using the protocol, if it is necessary to transmit the password using the protocol at all (which it might not be, since it might use a hash instead). (This depends on the protocol.)
- If despite the advice above, the client knows that the server will reject other passwords too, and knows precisely what the criteria are, the client can reject the same passwords.
Examples of some things that should be allowed (and should not be rejected) include:
- Passwords that are short.
- Passwords that include your username as a substring.
- Character classes/lack of character classes (e.g. you should not require nor prohibit punctuation).
- Control characters (if not causing problems with the protocol like mentioned above).
- Invalid UTF-8 sequences.
(Just because they are allowed though, does not necessarily mean that they should be recommended.)
Also, passwords should always be case-sensitive.
The user should decide by themself what password they want to set, although it is OK to include advice that is optional.
Not to be overly pedantic, but SHOULD is not a requirement according to https://www.ietf.org/rfc/rfc2119.txt, but a recommendation that should be fully understood before making a different decision. I fully agree that it should be a different measure of complexity though!
As a side-note, I wish I could give lastpass a regex or pattern or something to check auto-generate guesses against (it would be great to have a [trusted] library of these, too). I often end up regenerating or tweaking my auto generate settings a few times for every new account I create to get around this stuff.
Password managers are great until you need to log in on someone else’s machine. Especially when you don’t have your device on you. It’s bitten me before.
If you have hundreds of unique passwords, I don't see an alternative unless you're a savant or use predictable patterns. But that doesn't mean there aren't ways to get around it. For one, using a password manager shouldn't stop you from remembering your most important passwords, especially those you expect to use in other people's machines. You can take some extra care to make these important passwords easy to remember while still being secure. I could go on but everything I'd say is quite obvious.
As for the other requirements, it's just a matter of enabling various options in your password manager's generator. And if you're not using a password manager, it's very probable you're using/reusing insecure passwords.
I think that maximum 16 characters is way too short. Perhaps 127 bytes might be a suitable maximum, although it should be more if possible. (This does not mean that you are required to enter a password of at least that length; it is only the maximum length, not the minimum length.)
More substantively: the look of this is so nice. My biggest complaint with element is UX around cross-signing (though I'd also switch in a heartbeat if someone hacked in voice messages somehow). How have you found all that to implement? (Totally fine if it's still on a roadmap, I'm just curious)
This is gorgeous! Have you considered adding it to matrix.org/clients?
It would also be interesting to know a little bit more how the hard features are implemented. Key exchange and cross signing in E2EE? Plans for "native" VoIP?
i wonder if the Show HN link should be changed to go straight to https://cinny.in?
The app is really impressively well done - goes to show how well an entirely fresh React app can run on top of matrix-js-sdk (and thus how much snappier Element can be :)
Looks very nice! I will have to try it. Do you have plans to announce it to matrix.org's This Week In Matrix (TWIM) updates? If you're looking for more testing and feedback I'm sure you'll get some from the visibility there.
As a side note, being someone who is quite interested in matrix as a technology, could anyone recommend any good and active rooms (or spaces, if that's a thing now) on matrix? The only ones I can find are mostly for asking questions about specific programming languages or technologies.
So dumb question about Matrix.. any long-time IRCers use it? How did you make the transition? Is it straight forward to use weechat with it? If you abandoned the irc client, is it easy to keep personal logs?
The matrix core team was very much long-time IRCers (opering networks since late-90s) before we embarked on Matrix, so we've tried to make it a decent transition. The python weechat-matrix plugin is pretty good (in my opinion, although others seem to have had bad experiences). Matrix itself stores your conversation history for you, so most people don't bother storing separate logs. There are tools to let you maintain separate logs though, e.g. https://github.com/russelldavies/matrix-archive - and log export is also currently being added to Element.
Really wanted to try this, and am still looking forward to at some point, but for some reason my password is invalid to the client and presents 'M_FORBIDDEN: Invalid password' despite it being a cryptographically secure random-gen password in my vault - presumably because it doesn't have a special character in it.
It would be cool if this limitation was a little more up front - While I can spin up a copy on my own and adjust the limitation myself, I don't think everyone's going to want to do that.
When will we get native, beautiful, and fast Matrix clients? I am very tired of Electron and web applications, I want a snappy experience for once. Please.
Like an old engineering mantra, "I can give you 2 out of 3"...Jokes aside, the matrix.org website does have a nice page listing the different clients (that they at least know about), and its nicely broken up into sections for mobile, desktop, terminal, and even nintendo (!). There are a number of native clients and some (e.g. nheko, quaternion) i have unscientifically found to be very fast...as far as beautiful, well, i think it would be best to leave that to you as your opinion. Here's the client list page that i referenced above:
https://matrix.org/clients/
you should really use a test account when experimenting with random matrix clients. meanwhile we’re looking at adding OAuth 2 to Matrix by default so your server is the one that auths you, rather than a random client: https://github.com/matrix-org/matrix-doc/pull/2964#issuecomm...
Really happy to see more implementations with the Matrix protocol. The official implementations leave a little to be desired so it's good to see different takes on it.
__________
EDIT: Upon registration "Password must contain 1 number, 1 uppercase letters, 1 lowercase letters, 1 non-alpha numeric number, 8-16 characters with no space."
Not sure if that's a Matrix limitation or just javascript validation, but if it's on your end please don't do that... if anything you're enforcing less secure passwords.
__________
EDIT 2: Hitting reload on https://app.cinny.in/register leads to a 404