1. Hello Guest! It's with a heavy heart that we must announce the removal of the Legacy GMC Archive. If you wish to save anything from it, now's the time! Please see this topic for more information.
    Dismiss Notice

Suggestion Encouraging and requiring that passwords have numbers and symbols is very bad!

Discussion in 'Community Chat' started by 0xFFF1, Jun 22, 2016.

Tags:
Thread Status:
Not open for further replies.
  1. 0xFFF1

    0xFFF1 Guest

    [​IMG]

    https://xkcd.com/936/

    [​IMG]

    Please encourage users to use passwords that are easy to remember and hard for computers to guess. Perhaps link to an sufficient online random word generator.
    The forums are still new, you should make this switch as soon as possible.
     
  2. Nocturne

    Nocturne Friendly Tyrant Forum Staff Admin

    Joined:
    Apr 13, 2016
    Posts:
    7,046
    Sorry, not going to happen.
     
  3. RedGhost

    RedGhost Guest

    I agree, I use my old schoolpassword (which is 10 chars long, composed of letters and numbers seemingly randomly) yet it didn't work because I had to do a capital letter (no problem, first letter capital letter) but also a special character, on which _ didn't work..

    It's a pain and almost impossible to remember. A password is made to be remembered, not to be forgotten.

    If someone makes his password password1, well good for him. Because some people don't know the definition of password do we really have to have a hard time logging in each time trying to remember which of the billions of possible password mutations could've been used on this site?

    I'm against the strong regulation, but don't remove it entirely. Add some kind of strong password bar like google accounts have.

    And you know something is wrong when your gmail password is less strong than one of a forum..

    And the bad part is, you need a password to look at images that users uploaded..

    But I'm curious tho.. Why's it not going to happen?
     
  4. Kousenai

    Kousenai Furry Flaebae

    Joined:
    Jun 20, 2016
    Posts:
    72
    Oh, come on now. It's honestly not that hard to just make something up that fits and is easy to remember (like 'CookiesAndCream-89').
     
  5. RedGhost

    RedGhost Guest

    It is when you already have 23 different password because every site has different password requirements
     
  6. Kousenai

    Kousenai Furry Flaebae

    Joined:
    Jun 20, 2016
    Posts:
    72
    I just use an Excel document for example to store all my account passwords in that case; chances are that I'll remember the passwords for the accounts that I use often. Even if you can't remember 23 different passwords, it's easy to record.

    The current password limitations make the forum a lot safer, and it's not a big hassle for most of us.
     
  7. RedGhost

    RedGhost Guest

    Because having a document with all keys to your entire life is safer than no - in your password because...?

    XD
     
  8. Kousenai

    Kousenai Furry Flaebae

    Joined:
    Jun 20, 2016
    Posts:
    72
    Which is why you lock that document with a password which is in turn in another document locked with a password which is in another document locked with a password in a text file on your desktop.
    (I'm kidding.)
    Point is, for most of us it's not a problem capitalising a letter and throwing a dash in there, and it shouldn't be for you, either.
     
  9. Kousenai

    Kousenai Furry Flaebae

    Joined:
    Jun 20, 2016
    Posts:
    72
    If anything, your base password that you use for whatever number of websites should be more complex so that you don't have these problems. (Using a single/base password for multiple websites is generally unsafe though.)
     
  10. RedGhost

    RedGhost Guest

    I get that

    I too have a doc with all passwords and usernames (because of what I stated before) but I just feel like this is gonna cause lots of problems in the long run..

    Time will tell I guess.
     
  11. Mike

    Mike nobody important GMC Elder

    Joined:
    Apr 12, 2016
    Posts:
    2,413
    This was/is a security requirement, so it won't be changing. As I've said elsewhere, be thankful that we avoided the "Change it every N months" that was also requested......
     
    Andy and Kousenai like this.
  12. faissaloo

    faissaloo Guest

    I think you misunderstand the xkcd, it's not saying that you shouldn't use numbers and symbols, it's saying that you need to be less predictable in how you use them. More words is better, but so is a wider range of characters, you can have both and that is better, the issue with the second is that a rainbowtable attack would easily crack it, since it's only 4 words, that are no doubt going to be in a dictionary because of how common they are. If you forced people to use at least one non-alphanumeric character the size of the dictionary would have to be much bigger.
     
    Nocturne likes this.
  13. Aleksandar Gavrilovic

    Aleksandar Gavrilovic Member

    Joined:
    Jun 20, 2016
    Posts:
    82
    i too hate having to change my password scheme. i added a 1 somewhere just so the prompt would be satisfied xD
     
  14. ShaunJS

    ShaunJS Just Another Dev GMC Elder

    Joined:
    Apr 12, 2016
    Posts:
    148
    As has been said, the length of password is what is being demonstrated as the most important element in the XKCD comic. (I also particularly like it's hover over alt text...)

    The problem is that long passwords full of complex characters are difficult to remember. This can lead to people in offices sticking post-it notes on their monitor with their passwords or doing other things that _worsen_ the security of their password in trade for making it easier to remember.

    But we live in an age of password managers. I couldn't tell you what 95% of my passwords are anymore because they're all generated randomly by my password manager (I personally use LastPass, there are many available alternatives.)
    Each password is unique and typically >15 characters long with any number of special characters. I wouldn't have a hope of remembering them but I don't need to, as the chrome plugin automatically inserts the password into login boxes and it even works with my phone apps.
     
  15. NPT

    NPT Guest

    So one of the administrators passwords to these forums:
    • Are probably not even known to him
    • Stored in the cloud
    • Autofilled by his browser/phone App
    • The security requirements of password on this sites are lowered to the security requirements of lastpass

    And the new changes has improved security exactly how?
     
  16. Richard Mountain

    Richard Mountain Member

    Joined:
    Jun 20, 2016
    Posts:
    29
    Lastpass is 256-bit AES encryption I imagine they're pretty safe


    Long passwords are great, if you can't remember them then get yourself a password safe.

    at present I've got over 200 unique passwords for various websites and this grows on a weekly basis.

    Nearly every password is 28 characters expect for the sites that think 16 or less is acceptable, but heyho.

    Anyways there are several different password safes that you can use @ShaunJS mentioned LastPass, I personally use Dashlane as I'm about to sync it across all of my devices without issues and it will generate new passwords for me.
     
  17. Nocturne

    Nocturne Friendly Tyrant Forum Staff Admin

    Joined:
    Apr 13, 2016
    Posts:
    7,046
    @NPT: Don't be such a snark. Do you have any idea how LastPass actually works? It's pretty damn secure... and I fail to see how it's worse than having the password stored in a file locally, or written on a postit and stuck to the monitor. ;)

    https://lastpass.com/how-it-works/
     
  18. RedChu

    RedChu Member

    Joined:
    Jun 21, 2016
    Posts:
    2
    If you're having difficulties remembering your new password, there is one simple solution: get it tattooed on your forehead. Make sure you get it done backwards so you can read it in the mirror - you can put a mirror above your workstation (if you have one) to ensure you can sneak a peek at your password at any given time. This is much more secure than using notepad or LastPass, especially if you encrypt it using rot13 first. No one would ever suspect your GMC password is tattooed onto your forehead in reverse and rot13 encrypted. It's foolproof.

    With that said, just be grateful that there's no silly 10 character limit or something that some websites insist on imposing.
     
    Barvix, hippyman and Nocturne like this.
  19. ShaunJS

    ShaunJS Just Another Dev GMC Elder

    Joined:
    Apr 12, 2016
    Posts:
    148
    ...What?
    1. Accurate. What is the point being implied by this? Do you feel not knowing the password makes it somehow easier to be guessed by others?
    2. Lastpass servers by necessity are far more secure than any forum software. There are several tiers of multi-factor authentication.
    3. Yes, again, after verifying my credentials with lastpass. What are you implying?
    4. See 2?
    I don't really understand this weird snide sarcasm unless it's based in some false assumption that password managers are inherently insecure?
     
    Geknow, Kousenai and Nocturne like this.
  20. NPT

    NPT Guest

    The problem with people who are reliant on password managers and don't even know what there passwords is; should there password be compromised, changed, and then the changed password replaced, they wouldn't even know it.

    This can't happen if you create your own password. Obviously preventing breaches is of huge concern, people put little thought into becoming aware when breaches occur.

    Correction. Optionally, there are several tiers of multi-factor authentication. A single master password with poor strength requirements may be used. And Lastpass has been hacked, several times.

    http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

    I'm glad you're verifying your credientials. That's not the default behaviour of Lastpass, nor how a huge number of people use it. For many within seconds anybody can run a browser, click on the Lastpass icon and view URLs, usernames and plaintext passwords. All without authentiction and this is the default behaviour. Completely inexcusable.

    At leaste Chrome requires one to authenticate with one's windows password.

    As much as Lastpass perports to be a security company it's not. It's a convienance company, and as my post explains, more often makes a machne and password management less secure than more secure. Especially if installed in the default mode.

    YYG's (or rather PlayTec) has created a policy of passwords must contain - 10 chars plus 1 special character (perhaps Upper/lowercase requirements and numeric, can't remember). By using a password manager you effectively negate that policy. And as described Lastpass's master policy is completely inadequate.

    Now, I'm not saying that Lastpass and other password managers must be insecure, but their default install state and turned off options and lack of features potentially only available with licenced versions often do make them inherantly insecure.

    And BTW I've only addressed the points you've brought up, I could go on with dozens of other problems.

    Playtec simply increasing the password strength policy does not really address security and can result in poorer security when taking actual user habits.

    I'm very familiar with how it works and I never said anything about storing password files locally or writen on postit notes.

    But, now that you've brought it up, the primary reason people do silly things like that is because of unreasonable password strength policies.
     
    RichHopefulComposer likes this.
  21. zbox

    zbox Member GMC Elder

    Joined:
    Jun 21, 2016
    Posts:
    796
    There are people who don't use lastpass or similar?? You're really doing yourself a disservice; I haven't looked back since. Randomly generated passwords for just about everything I don't have to access from other computers. It's a no brainer.
     
  22. Mike

    Mike nobody important GMC Elder

    Joined:
    Apr 12, 2016
    Posts:
    2,413
    Okay - enough. We've been told these password rules are a requirement, I've said this enough times, and bitching and complaining won't change anything.

    Closed
     
    iTzCallumUK and Kousenai like this.
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice