Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined
The article focuses on password requirements that websites implement, not user behaviors. Common bad practices mentioned:
- Permit very short passwords
- Do not block common passwords
- Use outdated requirements like complex characters
Complex characters are outdated? It also refers to special characters but I guess that’s what I was thinking of. So special characters are in, so what is a complex character then?
Length is the most important thing, everything else is somewhat secondary. We should be shifting thinking of this to passphrases rather than passwords.
I’m sure most of us have seen the “correct horse battery staple” XKCD, but that’s what people really need to think of as passwords now, not my-favourite-celebrity-but-with-the-“e”-changed-to-“3”-and-an-exclamation-mark-at-the-end.
A character that extends outside the real number line
My characters extends outside time and space.
Make for very secure passwords.
Thanks for this, I knew the concept but I’ve always had a hard time putting it to words. Yeah, its not like they increase the entropy or anything. Same with diacritics
Reminds me of when Michael tells Dwight he and Jim make different amounts: its not about higher or lower, its just different
Either you or I got wooshed, cause I thought that was a maths joke, not actually an answer.
If your password is onky made up of numbers and there’s no or a faulty anti-replay feature, you can just keep tryinguntil you iterate to the right password.
I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don’t. But still, it’s better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)
My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!
Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.
If the limit is something like 250 or more characters, I’m more inclined to believe it’s basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server’s request limit allows, at an API that performs cryptographic work.
Removed by mod
Largest study ever confirms something everyone has always known
Except infosec team
Password1! is out. passwordoneexclamationmark is in.
PassWordW0Nexclamationmark%%%
Pro password hours
Now that’s a pee four dollar sign dollar sign omega zero are dee right there
That’s amazing! That’s the same password I have on my luggage!
Something something hunter2 ha ha ha it are funy
Why would you bother making a comment just to not say your password? All I see is stars.
hunter2
Wait it’s not working for me I can see my password
You must be a hacker then
Something something ******* ha ha ha it are funy
What does this mean?
That’s a pretty good password. Not *******, but the sentence as a whole.
here is a tool, that helps with making secure passwords, that respect all the current and former best practices https://neal.fun/password-game/
🥚
Fun. Couldn’t get past rule 16 (chess).
I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there’s a limit on the number of characters, etc.
I’ve come across websites where dashes “-” are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there’s a note below the password box, sometimes they don’t tell you until your password fails, and sometimes they don’t ever tell you. If I don’t know what the restrictions are, I’ll end up throwing a cheap password at it until I can find out what’s acceptable.
