Suggestion Encouraging and requiring that passwords have numbers and symbols is very bad!

Status
Not open for further replies.
R

RedGhost

Guest
I agree, I use my old schoolpassword (which is 10 chars long, composed of letters and numbers seemingly randomly) yet it didn't work because I had to do a capital letter (no problem, first letter capital letter) but also a special character, on which _ didn't work..

It's a pain and almost impossible to remember. A password is made to be remembered, not to be forgotten.

If someone makes his password password1, well good for him. Because some people don't know the definition of password do we really have to have a hard time logging in each time trying to remember which of the billions of possible password mutations could've been used on this site?

I'm against the strong regulation, but don't remove it entirely. Add some kind of strong password bar like google accounts have.

And you know something is wrong when your gmail password is less strong than one of a forum..

And the bad part is, you need a password to look at images that users uploaded..

But I'm curious tho.. Why's it not going to happen?
 
G

Guest User

Guest
Oh, come on now. It's honestly not that hard to just make something up that fits and is easy to remember (like 'CookiesAndCream-89').
 
R

RedGhost

Guest
It is when you already have 23 different password because every site has different password requirements
 
G

Guest User

Guest
I just use an Excel document for example to store all my account passwords in that case; chances are that I'll remember the passwords for the accounts that I use often. Even if you can't remember 23 different passwords, it's easy to record.

The current password limitations make the forum a lot safer, and it's not a big hassle for most of us.
 
R

RedGhost

Guest
Because having a document with all keys to your entire life is safer than no - in your password because...?

XD
 
G

Guest User

Guest
Which is why you lock that document with a password which is in turn in another document locked with a password which is in another document locked with a password in a text file on your desktop.
(I'm kidding.)
Point is, for most of us it's not a problem capitalising a letter and throwing a dash in there, and it shouldn't be for you, either.
 
G

Guest User

Guest
If anything, your base password that you use for whatever number of websites should be more complex so that you don't have these problems. (Using a single/base password for multiple websites is generally unsafe though.)
 
R

RedGhost

Guest
I get that

I too have a doc with all passwords and usernames (because of what I stated before) but I just feel like this is gonna cause lots of problems in the long run..

Time will tell I guess.
 
F

faissaloo

Guest
I think you misunderstand the xkcd, it's not saying that you shouldn't use numbers and symbols, it's saying that you need to be less predictable in how you use them. More words is better, but so is a wider range of characters, you can have both and that is better, the issue with the second is that a rainbowtable attack would easily crack it, since it's only 4 words, that are no doubt going to be in a dictionary because of how common they are. If you forced people to use at least one non-alphanumeric character the size of the dictionary would have to be much bigger.
 
A

Aleksandar Gavrilovic

Guest
i too hate having to change my password scheme. i added a 1 somewhere just so the prompt would be satisfied xD
 

ShaunJS

Just Another Dev
GMC Elder
As has been said, the length of password is what is being demonstrated as the most important element in the XKCD comic. (I also particularly like it's hover over alt text...)

The problem is that long passwords full of complex characters are difficult to remember. This can lead to people in offices sticking post-it notes on their monitor with their passwords or doing other things that _worsen_ the security of their password in trade for making it easier to remember.

But we live in an age of password managers. I couldn't tell you what 95% of my passwords are anymore because they're all generated randomly by my password manager (I personally use LastPass, there are many available alternatives.)
Each password is unique and typically >15 characters long with any number of special characters. I wouldn't have a hope of remembering them but I don't need to, as the chrome plugin automatically inserts the password into login boxes and it even works with my phone apps.
 
N

NPT

Guest
So one of the administrators passwords to these forums:
  • Are probably not even known to him
  • Stored in the cloud
  • Autofilled by his browser/phone App
  • The security requirements of password on this sites are lowered to the security requirements of lastpass

And the new changes has improved security exactly how?
 
R

Richard Mountain

Guest
And the new changes has improved security exactly how?
Lastpass is 256-bit AES encryption I imagine they're pretty safe


Long passwords are great, if you can't remember them then get yourself a password safe.

at present I've got over 200 unique passwords for various websites and this grows on a weekly basis.

Nearly every password is 28 characters expect for the sites that think 16 or less is acceptable, but heyho.

Anyways there are several different password safes that you can use @ShaunJS mentioned LastPass, I personally use Dashlane as I'm about to sync it across all of my devices without issues and it will generate new passwords for me.
 

Nocturne

Friendly Tyrant
Forum Staff
Admin
@NPT: Don't be such a snark. Do you have any idea how LastPass actually works? It's pretty damn secure... and I fail to see how it's worse than having the password stored in a file locally, or written on a postit and stuck to the monitor. ;)

https://lastpass.com/how-it-works/
 

RedChu

Member
If you're having difficulties remembering your new password, there is one simple solution: get it tattooed on your forehead. Make sure you get it done backwards so you can read it in the mirror - you can put a mirror above your workstation (if you have one) to ensure you can sneak a peek at your password at any given time. This is much more secure than using notepad or LastPass, especially if you encrypt it using rot13 first. No one would ever suspect your GMC password is tattooed onto your forehead in reverse and rot13 encrypted. It's foolproof.

With that said, just be grateful that there's no silly 10 character limit or something that some websites insist on imposing.
 

ShaunJS

Just Another Dev
GMC Elder
So one of the administrators passwords to these forums:
  • Are probably not even known to him
  • Stored in the cloud
  • Autofilled by his browser/phone App
  • The security requirements of password on this sites are lowered to the security requirements of lastpass

And the new changes has improved security exactly how?
...What?
  1. Accurate. What is the point being implied by this? Do you feel not knowing the password makes it somehow easier to be guessed by others?
  2. Lastpass servers by necessity are far more secure than any forum software. There are several tiers of multi-factor authentication.
  3. Yes, again, after verifying my credentials with lastpass. What are you implying?
  4. See 2?
I don't really understand this weird snide sarcasm unless it's based in some false assumption that password managers are inherently insecure?
 
N

NPT

Guest
Accurate. What is the point being implied by this? Do you feel not knowing the password makes it somehow easier to be guessed by others?
The problem with people who are reliant on password managers and don't even know what there passwords is; should there password be compromised, changed, and then the changed password replaced, they wouldn't even know it.

This can't happen if you create your own password. Obviously preventing breaches is of huge concern, people put little thought into becoming aware when breaches occur.

Lastpass servers by necessity are far more secure than any forum software. There are several tiers of multi-factor authentication.
Correction. Optionally, there are several tiers of multi-factor authentication. A single master password with poor strength requirements may be used. And Lastpass has been hacked, several times.

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

Yes, again, after verifying my credentials with lastpass. What are you implying?
I'm glad you're verifying your credientials. That's not the default behaviour of Lastpass, nor how a huge number of people use it. For many within seconds anybody can run a browser, click on the Lastpass icon and view URLs, usernames and plaintext passwords. All without authentiction and this is the default behaviour. Completely inexcusable.

At leaste Chrome requires one to authenticate with one's windows password.

As much as Lastpass perports to be a security company it's not. It's a convienance company, and as my post explains, more often makes a machne and password management less secure than more secure. Especially if installed in the default mode.

YYG's (or rather PlayTec) has created a policy of passwords must contain - 10 chars plus 1 special character (perhaps Upper/lowercase requirements and numeric, can't remember). By using a password manager you effectively negate that policy. And as described Lastpass's master policy is completely inadequate.

Now, I'm not saying that Lastpass and other password managers must be insecure, but their default install state and turned off options and lack of features potentially only available with licenced versions often do make them inherantly insecure.

And BTW I've only addressed the points you've brought up, I could go on with dozens of other problems.

Playtec simply increasing the password strength policy does not really address security and can result in poorer security when taking actual user habits.

@NPT: Don't be such a snark. Do you have any idea how LastPass actually works? It's pretty damn secure... and I fail to see how it's worse than having the password stored in a file locally, or written on a postit and stuck to the monitor. ;)

https://lastpass.com/how-it-works/
I'm very familiar with how it works and I never said anything about storing password files locally or writen on postit notes.

But, now that you've brought it up, the primary reason people do silly things like that is because of unreasonable password strength policies.
 

zbox

Member
GMC Elder
There are people who don't use lastpass or similar?? You're really doing yourself a disservice; I haven't looked back since. Randomly generated passwords for just about everything I don't have to access from other computers. It's a no brainer.
 

Mike

nobody important
GMC Elder
Okay - enough. We've been told these password rules are a requirement, I've said this enough times, and bitching and complaining won't change anything.

Closed
 
Status
Not open for further replies.
Top