Welcome and bye bye {- forum password length}



  • I have become fond of the Win browser and decided, despite the chaotic nature of Vivaldi, to open an account. Quelle surprise...... 12 character password. Well, I use 8 character passwords in a way which suits me and which I am simply able to remember. There are many but at eight I am able to simply recall from memory and change and remember at will. So, big fail on requiring 12 characters. I do not write passwords anywhere and I do not store them electonically. Of course if someone is determined to learn the code then there is nothing anyone alive can do about that but all in all, my way of protecting passwords is excellent. 12 character code is useless to me and is an immense fail. I'm quite serious and for one and all involved with development I will point out that security very quickly impairs and ruins usability which..... as I understand things is what the entire project is about. I will forget this password because it is 12 characters and because I do not intend to spend forever more resetting the password, the account is useless and worse than useless in being stupidly frustrating as most admin edicts are. A 12 character password code is anti-usability and as dumb as ducks.

    There ya go. Totally useless advanced features. So sad.


  • Moderator

    @herosrest Sorry to hear that you feel this way.

    Well, I use 8 character passwords in a way which suits me and which I am simply able to remember.

    Okay, well, if you should change your mind then go with that and add 1234 to the end.



  • @herosrest said in Welcome and bye bye {- forum password length}:

    chaotic nature of Vivaldi

    ok, Vivaldi is clearly not for you, be happy with chrome then.


  • Community Manager

    @herosrest we feel sad to see you go. 😢
    The reason why we are pushing for passwords with at least 12 letters is that, according to Intel, it takes 15 hours for hackers to crack 8 letters password and and 4'000'000 years to crack a 12 letters password.

    See it for yourself with their demo here 👉 https://share.getcloudapp.com/d5uv6z24



  • @gaelle Yes, but that still assumes they are able to obtain the actual password hash first, and you're not going to let that happen, are you? 😉

    Nobody in their right mind would brute-force a login dialog by trying several million combinations, their IP would most likely be blocked.

    Personally I think 8 letters is fine for most people... obtaining a password hash means security has failed miserably somewhere else and not in the length of the password...


  • Moderator

    @Pathduck said in Welcome and bye bye {- forum password length}:

    they are able to obtain the actual password hash first ....

    Their (NodeBB) control&access software is simple. The UI and the check boxes, where the admin defines the user auth

    @Pathduck said in Welcome and bye bye {- forum password length}:

    Nobody in their right mind would brute-force a login dialog by trying several million

    Lol, true. Remember, there was no Ryzen

    Lastly, I use a sentence as my pw, and change it regularly.

    Edited: removed unnecessary quotes



  • Well, it depends on how the passwords are stored in the database. If you use Argon 2 with aggressive enough parameters, you could make it so the hash is nearly impossible to compute in the first place, let alone collisions. If the GPU farm is doing 10 hashes a second on a 1 megabyte key, it might take them a hot minute. You'll have to wait in line to log in of course if the server can only process 1 login a minute.

    If you have to rely on every service provider to keep you safe, eventually someone will fail and with an easy to crack password and password recycling, you're not doing yourself any favors. I'd recommend a password manager with unique and random passwords for every website. Then if any one website fails, they have a useless string of random characters unusable for anywhere else.


  • Moderator

    Not only the storage, a safe Db. Password are sending and receiving data, hence .....



  • @xyzzy or make all passwords "1234567890ab" - about as sensible.
    I hope you read his post very carefully because I agree 200% and have long ago suggested that all passwords should be replaced by facts where a sample os 10 should suffice to identify everyone on earth - as long as you allow everyone to chose what to look for. Most who has worked with security and people know, and the problem is that robots also have a pattern, the same every time. The danger of being able to expose an intruder keeps the intruders away. So: no password but hey guys, let us see what you do, what you type, your searches, and we will tell you who you are and where you live, your mobile number, and the name of your dog - we know. When we know who you are, would this one dare post the wrong fingerprint in a request for id? You may know the password to someone, but we know who you really are.
    Go back to 1985, "Larry" - and learn!



  • @lamarca Spot on, and since everyone uses a code, these are easy to capture. These days with CSS and Google, Microsoft and Cloudflare follows you with "free fonts" in your tax return and Internet bank. If they decide on the look of the font, they also know every letter and digit. It may look elegant but there is no understanding among the young kids about security issues.
    But the browser can stop access to other sites for "style" type of information: font, colour and size. It is not perfect, but fully possible to make a limit number (5) of fonts, size and shapes, and to make default mapping of colours to a palette. Then it is to publish these and ask for global acceptance, providing a tool to stop the big servers to intercept everything.


  • Ambassador

    @lamarca said in Welcome and bye bye {- forum password length}:

    Lastly, I use a sentence as my pw, and change it regularly.

    I have been doing the same for almost 15 years. Had to as I access to a 'God's account.


  • Ambassador

    @herosrest , a good way to remember long passwords is to use for example favorite quotes or proverbs and replace some letters with numbers that look similar. So there are no problems to remember them, even if they have more than 12 signs. At least that's how I do it.



  • @Gaëlle Yeah, well sorry to break in but also a 12 letter password made by joining two 6-letter words is much easier to break by dictionary attack, than a strong 8 letter password (or even 6 characters if including symbols). I came to this thread for the same reason as the OP and I couldn't help myself from commenting on this issue, specifically related your idea that 12 letter password is harder to "crack" ... that is, according to Intel (oh and why do we need Intel to "teach" us this concept anyway?).
    I made my 12 letter passwrd this way, by joining two 6-letter words, without any problem.
    If the reason behind this is strong passwords, the for the sake of consistency there should be also a password strenght check mechanism. Because applesapples is not a strong password, while aP91e$ is much stronger.


  • Ambassador

    @paul-cretu , if we base on a set of 112 characters we can calculate the possibilities. There is a big difference between 112^6 =1.973.822.685.184 ( brute force crack in seconds with a modern PC) and 112^12 = 3.896^24 permutations (a lot of years)

    Permutations = caracter set^password lenght



  • This post is deleted!

  • Ambassador

    @Hadden89 , 8 characters + 1234 and 12 characters are the same, both have 12 characters, so the number of possible permutations does not change, at least if the attacker knows that you have added 1234.
    That is why it is better to use 12 characters (signs, capitals, lower case and numbers) directly with the system I have mentioned before (phrases, quotes) to memorize it more easily.



  • @Catweazle I know that, it was meant as a "workaround" for the OP (and was already mentioned).


  • Ambassador

    @Hadden89 , The length of the password should naturally be related to the importance of the site where we registered and the interest that it can arouse in attackers. A password for a bank account is not the same as one for a Habbo account



  • @Catweazle Of course. But a lot of people tend to put crap in their passwords when a longer phrase in enforced.
    Especially people which don't use password managers.

    The best solution to "educate users" is the colored bar with security links.

    • red: Weak password. An hacker could easily discover the pwd and steal your data. You've been warned!
    • orange: Normal password. Harder to grab user data. We still suggest a more strong password.
    • green: Your password is ok. Keep it safe.

    [Bonus: useful tips to generate a safe&easy to remember pwd]


  • Ambassador

    @Hadden89 , anyway passwords inside not long would be outdated for protection. Google and Microsoft already have quantum computers, that is to say that in the near future we need physical tokens or another system.
    https://www.livescience.com/google-hits-quantum-supremacy.html


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.