in reply to Re: 8-character password limit?
in thread 8-character password limit?

The vast majority of security leaks are from people writing their passwords down

Yeah, and when you limit passwords to 8 characters, people feel compelled to include upper and lowercase characters, numbers, and punctuation, resulting in passwords that are impossible to remember, so they write them down. A longer password made out of three or four words is A) harder to brute-force if someone should happen to try and B) substantially easier to remember.

The traditional reason to limit passwords to 8 characters was because with primitive hashing algorithms used in the 1940s (partly due to the limits of what processors could handle at the time) only the first few characters were significant anyway, so a longer password would provide a false sense of security. In modern times, longer passwords should be allowed if the password hashing algorithm can handle them.

Sanity? Oh, yeah, I've got all kinds of sanity. In fact, I've developed whole new kinds of sanity. Why, I've got so much sanity it's driving me crazy.

Replies are listed 'Best First'.
Re^3: 8-character password limit?
by Rhys (Pilgrim) on May 13, 2006 at 17:17 UTC
    Hear! Hear! Using a 24-character passphrase that is all lower-case letters and spaces is still more secure than and eight-character monstrosity, mainly for the reason that it's easier to remember (and probably easier to type).

    Furthermore, long passphrases are known to be workarounds for known vulnerabilities in security systems. Passphrases 20 characters or longer are significantly harder to crack in WPA-PSK. Passphrases longer than 14 characters have no LANMAN has in Windows (MUCH MUCH harder to crack).

    Enforcing a larger minimum length is more important than making stern complexity requirements.

    Simple proof: You care how long your encryption keys are, not how complex they are.

    --J

[reply]

In Section Perl Monks Discussion