Welcome and bye bye {- forum password length}
-
@herosrest we feel sad to see you go.
The reason why we are pushing for passwords with at least 12 letters is that, according to Intel, it takes 15 hours for hackers to crack 8 letters password and and 4'000'000 years to crack a 12 letters password.See it for yourself with their demo here https://share.getcloudapp.com/d5uv6z24
-
@gaelle Yes, but that still assumes they are able to obtain the actual password hash first, and you're not going to let that happen, are you?
Nobody in their right mind would brute-force a login dialog by trying several million combinations, their IP would most likely be blocked.
Personally I think 8 letters is fine for most people... obtaining a password hash means security has failed miserably somewhere else and not in the length of the password...
-
@Pathduck said in Welcome and bye bye {- forum password length}:
they are able to obtain the actual password hash first ....
Their (NodeBB) control&access software is simple. The UI and the check boxes, where the admin defines the user auth
@Pathduck said in Welcome and bye bye {- forum password length}:
Nobody in their right mind would brute-force a login dialog by trying several million
Lol, true. Remember, there was no Ryzen
Lastly, I use a sentence as my pw, and change it regularly.
Edited: removed unnecessary quotes
-
Well, it depends on how the passwords are stored in the database. If you use Argon 2 with aggressive enough parameters, you could make it so the hash is nearly impossible to compute in the first place, let alone collisions. If the GPU farm is doing 10 hashes a second on a 1 megabyte key, it might take them a hot minute. You'll have to wait in line to log in of course if the server can only process 1 login a minute.
If you have to rely on every service provider to keep you safe, eventually someone will fail and with an easy to crack password and password recycling, you're not doing yourself any favors. I'd recommend a password manager with unique and random passwords for every website. Then if any one website fails, they have a useless string of random characters unusable for anywhere else.
-
Not only the storage, a safe Db. Password are sending and receiving data, hence .....
-
@xyzzy or make all passwords "1234567890ab" - about as sensible.
I hope you read his post very carefully because I agree 200% and have long ago suggested that all passwords should be replaced by facts where a sample os 10 should suffice to identify everyone on earth - as long as you allow everyone to chose what to look for. Most who has worked with security and people know, and the problem is that robots also have a pattern, the same every time. The danger of being able to expose an intruder keeps the intruders away. So: no password but hey guys, let us see what you do, what you type, your searches, and we will tell you who you are and where you live, your mobile number, and the name of your dog - we know. When we know who you are, would this one dare post the wrong fingerprint in a request for id? You may know the password to someone, but we know who you really are.
Go back to 1985, "Larry" - and learn! -
@lamarca Spot on, and since everyone uses a code, these are easy to capture. These days with CSS and Google, Microsoft and Cloudflare follows you with "free fonts" in your tax return and Internet bank. If they decide on the look of the font, they also know every letter and digit. It may look elegant but there is no understanding among the young kids about security issues.
But the browser can stop access to other sites for "style" type of information: font, colour and size. It is not perfect, but fully possible to make a limit number (5) of fonts, size and shapes, and to make default mapping of colours to a palette. Then it is to publish these and ask for global acceptance, providing a tool to stop the big servers to intercept everything. -
@lamarca said in Welcome and bye bye {- forum password length}:
Lastly, I use a sentence as my pw, and change it regularly.
I have been doing the same for almost 15 years. Had to as I access to a 'God's account.
-
@herosrest , a good way to remember long passwords is to use for example favorite quotes or proverbs and replace some letters with numbers that look similar. So there are no problems to remember them, even if they have more than 12 signs. At least that's how I do it.
-
@Gaëlle Yeah, well sorry to break in but also a 12 letter password made by joining two 6-letter words is much easier to break by dictionary attack, than a strong 8 letter password (or even 6 characters if including symbols). I came to this thread for the same reason as the OP and I couldn't help myself from commenting on this issue, specifically related your idea that 12 letter password is harder to "crack" ... that is, according to Intel (oh and why do we need Intel to "teach" us this concept anyway?).
I made my 12 letter passwrd this way, by joining two 6-letter words, without any problem.
If the reason behind this is strong passwords, the for the sake of consistency there should be also a password strenght check mechanism. Because applesapples is not a strong password, while aP91e$ is much stronger. -
@paul-cretu , if we base on a set of 112 characters we can calculate the possibilities. There is a big difference between 112^6 =1.973.822.685.184 ( brute force crack in seconds with a modern PC) and 112^12 = 3.896^24 permutations (a lot of years)
Permutations = caracter set^password lenght
-
This post is deleted! -
@Hadden89 , 8 characters + 1234 and 12 characters are the same, both have 12 characters, so the number of possible permutations does not change, at least if the attacker knows that you have added 1234.
That is why it is better to use 12 characters (signs, capitals, lower case and numbers) directly with the system I have mentioned before (phrases, quotes) to memorize it more easily. -
@Catweazle I know that, it was meant as a "workaround" for the OP (and was already mentioned).
-
@Hadden89 , The length of the password should naturally be related to the importance of the site where we registered and the interest that it can arouse in attackers. A password for a bank account is not the same as one for a Habbo account
-
@Catweazle Of course. But a lot of people tend to put crap in their passwords when a longer phrase in enforced.
Especially people which don't use password managers.The best solution to "educate users" is the colored bar with security links.
- red: Weak password. An hacker could easily discover the pwd and steal your data. You've been warned!
- orange: Normal password. Harder to grab user data. We still suggest a more strong password.
- green: Your password is ok. Keep it safe.
[Bonus: useful tips to generate a safe&easy to remember pwd]
-
@Hadden89 , anyway passwords inside not long would be outdated for protection. Google and Microsoft already have quantum computers, that is to say that in the near future we need physical tokens or another system.
https://www.livescience.com/google-hits-quantum-supremacy.html -
@herosrest said in Welcome and bye bye {- forum password length}:
my way of protecting passwords is excellent
No, it's not. Any 8 character password can be cracked in around 2 hours and that's considering you're using special characters and it's truly random. Given that you most likely have a very shallow password so you can remember it, it's pretty certain your passwords could be cracked much faster. Get yourself a password manager and forget about remembering passwords. Personally I only have about 4 or 5 passwords in my head, but they're all over 20 characters. Vivaldi isn't one of them. If anything, 12 characters is far too short, should be double that length.
-
Hi, my mobile is 4 digit and my bank account is 5 digit passwords limited from the bank.
Try to crack it, no way.
I think these "I can crack a 8 digit password in n amount of time" has nothing to do with the real world.
Even my router kicks you after 3 wrong passwords, how to crack?Cheers, mib
-
@mib2berlin , My bank apart from a password uses the value of a custom coordinate card they gave me.