Password requirements are slightly too extreme

spectatorx

Today i decided to log in after long time. This means i had to reset my password because of few reasons. Overall requirements for password are standard and decent but length requirement is kinda extreme. I am aware some users are using passwords as long as 20 or even 40 characters. Personally i'm not a fan of such long passwords, imo perfect passwords are between 5 to 10 characters long, at least for my needs. Is vivaldi going to change these requirements or is it permament? Also i'm curious why vivaldi chose 12 characters for password length?

Pesala

@spectatorx IIRC the shortest password allowed is 12 characters. Is that your experience? That seems reasonable.

spectatorx

@Pesala apologize, i forgot to specify that, i just edited original post correcting that.

There is one positive thing i have to say about vivaldi sites (blog, forum, etc.) which is i find them exceptionally well suited for mobile when viewed in mobile view. Most websites which have "mobile" views are horrible in navigating on a phone.

Komposten

@spectatorx said in Password requirements are slightly too extreme:

imo perfect passwords are between 5 to 10 characters long

Passwords of this length suffer two major problems:

1. They are usually very hard to remember (because we cram in special characters, upper case, lower case, numbers, etc.), causing you to reuse passwords across websites.
2. Even if you cram in all those kinds of stuff they can still be cracked by modern computers.

So websites should enforce at least 10 characters, preferably more. If you use passphrases instead of passwords you can have phrases of 20+ chars that are both easier to remember than normal passwords and still easy to write. Or use a password manager, and never bother remembering a password again.

Relevant xkcd: https://www.xkcd.com/936/

jane.n

@Komposten's suggestion to use passphrases made up of unrelated words instead of a random mix of letters, numbers and symbols is a very good one.

Short passwords are just not strong enough anymore and can be easily brute forced. So, to keep your data safe we've made a minimum 12 character password a requirement.

Here's another illustration to show why long passwords are better:

spectatorx

@jane-n So... with this .gif you want to tell me 10 characters is enough and i do not need 12 characters to have safe password, am i correct?

Anyway, none website should allow for multiple unsuccessful login attempts and should be blocking login ability for ip/device for some time so this should prevent bruteforce or just implement other solutions to prevent this method of attack.

luetage

@spectatorx You didn't understand at all, you might wanna rewatch a couple times.

Komposten

@spectatorx said in Password requirements are slightly too extreme:

Anyway, none website should allow for multiple unsuccessful login attempts and should be blocking login ability for ip/device for some time so this should prevent bruteforce or just implement other solutions to prevent this method of attack.

That's not the problem. Say that website X gets hacked and hackers obtain Bob's username and hashed password. Then they start their Password Cracker X1000, enter the hash, and wait. Voilà! They found a 6-character password that has the same hash as Bob's! Now they go back to website X, enter Bob's username and password and log in on the first attempt.

Then they go to Amazon and enter the same username and password, and get logged in there too because Bob was using the same password there. And since he saved his credit card info last time he bought something from Amazon the hackers can now buy anything they want and Bob will pay for it.

Once a username + password match has been found, the hacker can go to another program that will automatically try those credentials on thousands of (popular) websites to find out if Bob was using it elsewhere.

Fun fact: According to Have I Been Pwned? there are almost 8.5 billion leaked accounts, with various information included. This excludes, of course, all the leaks that Have I Been Pwned? is currently unaware of. Of course, most of the passwords involved here are (hopefully) hashed, so it's not like there are 8.5 billion cracked passwords. But still.

pafflick

@jane-n said in Password requirements are slightly too extreme:

Short passwords are just not strong enough anymore and can be easily brute forced. So, to keep your data safe we've made a minimum 12 character password a requirement.

So, password1234 is more secure than g}H_�4, that's interesting...

Ornorm

@pafflick I now use the one suggested here :
@luetage said in Keep your data safe across devices:

You could for example do this: Sync2&&&&&&&&&&&&&&&&&&&& and it would be as safe as a randomly created password

I understood it was safe.
(but please, don't tell anyone I'm using it)

Komposten

@pafflick I assume you are sarcastic, but anyway:

Password cracking generally takes two forms:

1. Brute forcing. Try every imaginable combination. Cracks g}H_�4.
2. Dictionary attacks. Try common words and patterns and derivations thereof. Cracks password1234 (and p4ssw0rd1234, birthdate variations, etc.).

So they're probably equally unsafe.
(I know that isn't true, btw, as password1234 will be one of the first tested.)

LonM

In my mind, the best thing you can ask for is not massive amounts of entropy, just uniqueness.

If someone else used the same password - no matter how random -and it was leaked, your credentials are vulnerable to an offline dictionary based attack (through no fault of your own).

It just so happens that having lots of entropy is usually a good first step to having a unique password.

pafflick

@Komposten Yes, but actually no. According to https://howsecureismypassword.net/ hacking password1234 would take four years, whereas g}H_�4 could be hacked in just one year.

derDay

another easy method for finding (and remembering) a long password is the diceware list

Komposten

@pafflick howsecureismypassword probably doesn't do the most advanced dictionary attack testing. ^^