|
A study was done that claims a 3-word password is MORE secure than the arbitrary password rules used by 99% of the business entities out there because it's harder to use brute force them.
A space is a valid character and should not be disallowed.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
"let me in"
Yep... ain't nobody cracking that bad boy
Anyway, I don't disagree about the study, but a good site shouldn't allow brute force attacks, so it shouldn't matter. Not difficult to lock an account after 5 or so failed attempts, right?
|
|
|
|
|
musefan wrote: Not difficult to lock an account after 5 or so failed attempts, right?
Hackers are not brute forcing on the site; they already have the encrypted password in a file and are brute forcing until the result matches. There are tools to set up all this and even guessing salt values.
|
|
|
|
|
Why would they already have the encrypted password?
|
|
|
|
|
Ever heard of Equifax?
Or Ashley Madison?
Well - That's why they have them.
-= Reelix =-
|
|
|
|
|
Well, the idea is that you don't use that sort of 3-word sequence...
|
|
|
|
|
Sort of reminds me of a site I was on earlier this week that had a "contact us" page. In the Comment box, I asked my question, and properly terminated it with a question mark. Clicking the Submit button produced a "The comment field does not allow special characters" message. I spent several minutes fiddling with the characters, spacing, etc, only to eventually remove the question mark and it went through.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Smart... that way when you never hear back from them they have a solid defence:
"Well, you didn't technically ask us a question to reply to"
|
|
|
|
|
I hope you added a polite comment at the end.
|
|
|
|
|
So I cannot use 'correct horse battery staple' as my password? Awwww
|
|
|
|
|
At which point the system (assuming any competent developer wrote it) should respond with:
Sorry, that password is already is use. Why not try "Tr0ub4dor&3" instead?
|
|
|
|
|
Sorry, you have to make your password just a bit more "hackable".
Brent
|
|
|
|
|
I had one some years ago: a friends mother had signed up with a password she could remember - her daughter's first pet, a cat called "PEPSI". And this worked for ages, until the company was bought out by one with more restrictive passwords. When she replaced the computer, she couldn't sign in to her email any more because the password was wrong. And she couldn't change it because they required her old password to set a new one and that wasn't valid under their new rules ... It took some long drawn out phone conversations to sort that one out.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Just when you think you're getting used to all the stupid in the world, something comes along and breaks the mould.
Why would anybody put validation on the login password. It just belongs on the "new" and "confirm" fields!
|
|
|
|
|
I would be annoyed to have such a limitation. Passwords shouldn't be stored in clear text in the first place anyway, but rather salted and hashed, so I don't see any reason to limit the character set (except maybe for control characters).
"Five fruits and vegetables a day? What a joke!
Personally, after the third watermelon, I'm full."
|
|
|
|
|
My ISP gives you an IP address with a password (which YOU can change). When you point your browser to the IP address, You enter a page where you can configure many of the router parameters. (Dangerous in some hands! ) You have full control of the router and WiFi passwords. Nice (for me, at least.)
|
|
|
|
|
Mine does the same, except the router apparently runs past their software as well. I actually tried to log into my router to change the password myself. My error message was "Cannot connect to the internet!"
So I couldn't connect to the internet and I couldn't change the password so I could connect to the internet.
Brent
|
|
|
|
|
Quote: So I couldn't connect to the internet and I couldn't change the password so I could connect to the internet
All I can say is: 'Rats!'
My ISP is Spectrum. I have never had similar issues with their equipment.
|
|
|
|
|
Passwords should be hashed so who cares about the characters? I would allow only printable ASCII though because those are universal and won't create problems in case of bad / strange keyboard configuration.
Still a lot of characters for passwords.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
I prefer the Kerberos strategy: You send no password at all across the network. You send a request for a "ticket", a proof that you are entitled to use a specific service. This request need not be encrypted at all (well, maybe if you want to keep it a secret that you make use of that service, but in any case, a MITM will see which IP address you go to).
In return you get a ticket that is encrypted with your password. You decrypt it locally, at your own PC, and enclose it with your requests to the service.
Part of the ticket is encrypted with the password of the service, so you can't fix it up to give you any rights that you are not entitled to. The ticket is valid for a limited period (like 8 hours), so if anyone steals it, they can't use it the next day. The ticket may contain your IP address, so that service requests from an intruder on a different IP address are rejected. It may contain a one-time encryption key that you can use for the session with the service; the service will find the corresponding key in the part encrypted with the service's key.
I think the Kerberos strategy is so great that I cannot understand why it hasn't been universally adopted. It certainly is not because we have something that is a lot better. It seems like web service developers simply do not know about it, which is a pity.
|
|
|
|
|
I am fine with that as long as they remember to change their prompt to:
"Enter yourpassword"
so that I still know what to type in...
I, for one, like Roman Numerals.
|
|
|
|
|
All of my passwords must include a gang sign.
When I was growin' up, I was the smartest kid I knew. Maybe that was just because I didn't know that many kids. All I know is now I feel the opposite.
|
|
|
|
|
On a site I needed to register an account, they had a restriction for password to be at least 8 characters. Full stop.
I entered a password of 14 characters and got an error message: password too short.
After a uselessly long effort to get past the %#$%#&%#&# smart menu on the phone where none of the options addressed my issue, I eventually got to a(n alleged) human.
I had entered a password with upper, lower, numeric, and special characters.
Turns out only characters that appear on a phone are allowed.
It would seem the der who wrote the (regex?) validation only returned one error response to me - password too short
But I never wave bye bye
|
|
|
|
|
Well someone had to say it. Passwords, no matter how complex, are easily hack-able.
This is what BitCoin depends on, they call them "Miners".
The only difference, is that Transactions in Bit Coin, are much more complex, and harder to
crack than any password you can come up with, or (Generate).
2-factor (Cell phone) - is being touted as a cure, but once they get in, they have your phone
number, and can easily change profile setting to be their (burner) phone.
The fuss about the lengths, characters, and all that.... is also frustrating.
You could depend on the hacker to take the easier way out, and not spend the time to crack
a good password... but then again, it may incent them to spend the "crack time" , because
of the implication of it being a special case, which might reward the extra time.
Yes, I said "Crack time".
Keep It Simple, keep it moving.
|
|
|
|
|