|
Re: 8-character password limit?
by swampyankee (Parson) on May 13, 2006 at 03:07 UTC
|
In my opinion? No. On the other hand, overly complex password rules encourage people to write them down on PostIts™, which doesn't tend to improve security.
I've seen some pretty hideous password schemes. One place where I worked required all passwords to be of the form C(VC){2}, where "V" is a vowel (aeiou) and "C" is a consonant (any other letter in the 26 character Roman alphabet). Nothing else, upper case only. This machine was not on the Internet, but still!
emc
"Being forced to write comments actually improves code, because it is easier to fix a crock than to explain it. " —G. Steele
| [reply] |
|
|
I have always wondered what the big deal was about writing passwords down. I do it all the time, if it's something I have problems remembering. Then I put it in my wallet. If I really need to look at my password, it's right there, as safe as my wallet. If someone gets hold of my wallet, they still wouldn't know what the passwords were for, unless it was a co-worker or something.
Now I use my cat's name for a password. But his name is zo4WQfoenc32G, and I change his name weekly.
| [reply] |
|
|
Writing your password down and taping it to your monitor is probably a trifle less secure than your wallet.
I could say that your cat's name would be tough to pronounce, but it probably makes no difference what you call a cat; they don't come when they're called.
emc
"Being forced to write comments actually improves code, because it is easier to fix a crock than to explain it. " —G. Steele
| [reply] |
Re: 8-character password limit?
by dynamo (Chaplain) on May 13, 2006 at 06:20 UTC
|
No good ones, imho.
There are, however, very good reasons to require some variance in character class (say, use at least 3 from: a-z, A-Z, 0-9, << the set of all other ascii characters, which would look ugly in char class notation, plus space >>).
| [reply] |
Re: 8-character password limit?
by TedPride (Priest) on May 13, 2006 at 20:52 UTC
|
Given no restrictions on password format (other than that it has to be a certain minimum length), many people will use actual words or combinations of words as their password, which aren't terribly hard to guess. Those who make their password more complex will just go back to writing it down, and you have the same problems you did with an 8-character password.
It all boils down to one basic fact - the more difficult it is to brute force a password, the less difficult it is to get your hands on it through social engineering. I still say that a short password with lockout on double failure is more secure than any long password. Just be sure to encrypt it using a different key for every user (registration time + user name + some overall server key, perhaps), or someone with access to the database could match their hash to the hash of every other user, and gain access to people with the same password.
There's also the little matter of people tending to use the same password everywhere, which means that while your security may be infinite, the next place over could leak passwords like a sieve. This is another reason to assign passwords rather than letting people choose them, which means in turn that a short password is better than a long one. | [reply] |
Re: 8-character password limit?
by TedPride (Priest) on May 13, 2006 at 09:39 UTC
|
The vast majority of security leaks are from people writing their passwords down, or giving the secondary verification info to callers. Very few passwords are actually "cracked". Given this fact, it makes more sense from a security standpoint to have 3-character passwords with lockout on fail, rather than 8+ character passwords that will just get mined or social engineered. However, longer passwords do give the -appearance- of better security, so I suppose if this is more important than actual security, go with the longer password. | [reply] |
|
|
The vast majority of security leaks are from people writing their passwords down
Yeah, and when you limit passwords to 8 characters, people feel compelled
to include upper and lowercase characters, numbers, and punctuation,
resulting in passwords that are impossible to remember,
so they write them down. A longer password made out of three or
four words is A) harder to brute-force if someone should happen
to try and B) substantially easier to remember.
The traditional reason to limit passwords to 8 characters was because
with primitive hashing algorithms used in the 1940s (partly due to the
limits of what processors could handle at the time) only the first few
characters were significant anyway, so a longer password would provide
a false sense of security. In modern times, longer passwords should
be allowed if the password hashing algorithm can handle them.
Sanity? Oh, yeah, I've got all kinds of sanity. In fact, I've developed whole new kinds of sanity. Why, I've got so much sanity it's driving me crazy.
| [reply] |
|
|
Hear! Hear! Using a 24-character passphrase that is all lower-case letters and spaces is still more secure than and eight-character monstrosity, mainly for the reason that it's easier to remember (and probably easier to type).
Furthermore, long passphrases are known to be workarounds for known vulnerabilities in security systems. Passphrases 20 characters or longer are significantly harder to crack in WPA-PSK. Passphrases longer than 14 characters have no LANMAN has in Windows (MUCH MUCH harder to crack).
Enforcing a larger minimum length is more important than making stern complexity requirements.
Simple proof: You care how long your encryption keys are, not how complex they are.
--J
| [reply] |
Re: 8-character password limit?
by Anonymous Monk on Jun 28, 2007 at 11:31 UTC
|
Today I met a system which has still problems with passwords > 8 chars.
It's HP-UX 11.
It will allow you to login over telnet, but not over SSH and also sudo asking for password has problems as well.
But then again, I had never expected that either. Just a warning for any future person having troubles with it.
jcb | [reply] |