Post 1 — storypass-doesnt-tell-you-strong
Draft preview — this is a stub for an essay we're writing. The full piece will run here when it's ready.
Most password fields show you a meter. Weak. Medium. Strong. Excellent. The colored bar moves, the user feels reassured, the form submits.
The bar is lying.
Strength meters score what you typed against entropy heuristics — character classes, length, whether the string appears in a leaked-passwords list. They cannot score what actually matters: whether the password is one you can remember, one you'll keep using, one that won't end up in a notebook taped under your monitor because the rules made it impossible to live with.
We built StoryPass with one design choice that follows from this: it doesn't grade what it generates. The interface produces a passphrase — a sentence you can read aloud — and shows you nothing else. No bar. No score. No "improve this with a number."
The choice is deliberate. Showing you a strength score for a passphrase you didn't choose is theater. The thing already passes the entropy bar that matters; telling you so is condescension dressed as feedback.
The full essay walks through:
- What entropy actually measures, and why "9 zillion years to crack" claims are misleading
- Why the strength-meter UI pattern persists even though it doesn't help
- How StoryPass's generator is calibrated, and why we cap entropy rather than maximize it
- The case for letting users see less about the security of what they're using, not more
Coming soon. Sign up at the bottom of discerne.co if you want to know when it's live.