This forum requires a 10-character password. I have registered for hundreds, maybe thousands of things over the past 20 years, and never encountered such a requirement.
This forum is hardly a high-value item. Having such a requirement is a bit like carrying a huge, expensive, heavy bicycle lock for an antique rusty bicycle that nobody would want to steal anyway.
This is an example of where high password requirements can lead to less security, because people have to pick unusual passwords that they then have to write down.
Take it from The Man (Bruce Schneier) who wrote The Book (Applied Cryptography) on security: “To determine how much security you need, you must ask yourself some questions. How much is your data worth? How long does it need to be secure? What are your adversaries’ resources?” [p. 166]
It’s hard to believe that anyone has a burning desire to hack into your forum, particularly since they can become a member for free. Any user who is concerned that your password file will be stolen, can make his password as big as he likes. For us trusting souls, we should be able to make it as small as we like.
Sorry for the long password.
Unfortunately it’s fairly common for people to hack forums and use forums to steal passwords from other accounts. Users tend to user the same password multiple places and a large forum hack can be a big problem for third party services like Gmail, or Apple iCloud. Here is a recent forum hack that was in the news https://www.theregister.co.uk/2017/03/23/android_forums_breach/.
Please use a password manager to generate long passwords and keep track of them.
We use the default password settings for Discourse so you can contact them here https://www.discourse.org/ if you feel their policy is wrong.
You don’t seem to be sorry. You actually think it’s a good idea, and then try to foist the blame off on Discourse, as if you couldn’t change their default.
Why would anyone try to crack my password if they can become a forum member in 2 minutes? That makes zero sense to me. The only risk is if someone cracks into your system as a user who can copy the password files, and (hopefully) that can’t be done from the forum. As I said, any forum member who is concerned about that exploit is free to make his password just as ridiculous as he likes.
Anything mandatory is not for my benefit, it’s for yours.
Hi @norman do you use a password manager? I use KeePass through Firefox which keeps track all of my passwords. It’s a great PM.
I don’t think that @Ken_GlassWire’s is being disengenuous when he says “sorry”. I interpret his replay as “I’m sorry that you are upset about this but the minimum password length is set for good reasons”.
You, or others reading this topic, might be interested in the reasons Jeff Atwood, founder of Discourse. thinks that short passwords are bad. Discourse used to have a minimum of 8 characters, it is now 10 characters and I imagine that it will increase again within a couple of years.
I also use a password manager, KeePass on Windows and an android version. Most of my passwords are randomly generated and 20 characters long. The exceptions are those applications and websites that have a lower maximum password length. I don’t make any distinction based on the impact of a cracked password because it is too easy to take a shortcut for my most important passwords.
Once upon a time I used KeePass. It’s a fairly good way of keeping a lot of good passwords. I no longer use it because life is too short. YMMV
In the light of a new day I’m willing to accept that Ken wasn’t being disingenuous, he was just saving keystrokes as you suggest.
Jeff’s reasoning has everything to do with the crackability of the passwords, and nothing to do with the material being protected. As he details, even a 10-character password can be easily cracked in a few hours. If you have NSA-level resources, that’s probably true for any password.
So now we can consider the really interesting question, namely how much security is “enough”? To answer this question, we have to ask Bruce Schneier’s questions:
- how much is the data worth?
- what are the resources of the opponent?
- how long must it remain secure?
Given that forum membership is available for free with two minutes effort, I have to conclude that forum access is worth approximately nothing. By requiring long passwords, you’re protecting approximately nothing. So “enough” is very little indeed in the context of this forum.
The same is not true for the administrators and developers on the Glasswire server. Their passwords secure quite a bit of valuable data, including my forum password, and I like to think that they have good passwords. The bar is much higher for them.
I have nothing against people who pick long passwords, but I do have a problem with people who require that I do so. My security is my business, not yours. Anything mandated is for your benefit, not mine. If I want to leave my wallet and keys out on a park bench, that’s for me to decide, not you. A compromise of my forum password does not represent a risk for anybody else, so why should anybody else care whether my password is crackable in two seconds or two hours?
Yes, a longer password is more secure, but it’s also overkill for a forum password. If you like overkill, that’s fine, but there is no logical reason to impose it on other people.
I agree that long passwords are inconvenient but there are many tools to help with convenience. Plus I don’t remember the last time I had to enter my forum password here - it’s not very often. And a password manager means that I only have to remember one main password anyway.
there is no logical reason to impose it on other people.
There are logical reasons, particularly for those of us who doen’t mind the inconvenience of a “long” password. My main reason is to reduce the risk of other people’s failures affecting me.
Many, if not most people, reuse passwords on different sites. In my experience, that’s true for most of the people I help with computer problems. So enforcing a minimum of 10 characters has major benefits for general security because it both prevents the most common easy to remember terms from being used and ensures that cracking the password takes a significant effort. Everytime somebody I work with or communicate with is hacked, then the risk increases that I will be impacted.
Likewise, broken security on a forum increases the likelihood of a negative impact on the forum owner.
Clearly a longer password is more difficult to crack, but it is not necessarily more secure. The longer the password, the more likely it is that you’ll have to record it somewhere, which is a security risk. Clearly this risk can be minimized, but it is always better to record it nowhere. Even worse, the user is likely to let his computer remember the password, which is a huge security hole. Any passer-by can then use his computer to do the dirty deed, or at the very least copy the secrets and crack them at leisure.
This argument, about password re-use increasing the risk to everyone, is completely bogus. If my forum password is cracked, nobody is impacted, probably not even I. You’re trying to say that every cracked password increases risk for all, but that is only true for those using a password which has been cracked. When my password is protecting something of value, I am careful to pick one which is not likely to be on that list of known passwords. Anyone not following this obvious rule is setting themselves up for trouble, but that is not a problem for anyone who follows the rule.
As for the likelihood of a negative impact on the forum owner, or other forum users, I’m at a loss to understand this point. Access to the forum is essentially free for all, so why would anybody bother to crack my password? So they can fiendishly alter my contributions? A cracked password is only a problem if it is protecting something valuable. If I am silly enough to re-use my forum password for my bank account, that is my problem, and only my problem.
Nobody is going to bother to crack a forum password, because it’s just not worth the effort, however minimal. So increasing the difficulty merely inconveniences the users, with no perceptible gain in security. Of course the forum owner can set the bar as high as s/he likes, but it can’t be justified logically.
Life is too short to get all bothered by different password policies at different sites, and to write several forum posts lamenting such password policies. About 12 years ago I started using KeePass to generate high-quality, unique passwords for everything. So I don’t have to think about passwords anymore, I don’t need to complain about passwords, I don’t have to worry about non-unique passwords, and I can enter my passwords very quickly in an automated way. Faster than I could type passwords myself, even. Because life is too short.
Touche. To each his own.
One friendly word of advice: don’t lose your key, or the 3 copies you have to keep updated.
Thanks, yes, so far in the past 12 years I’ve never forgotten my master password. And I have many more than 3 copies, which I never need to manually keep updated, or even think about. I have sync software taking care of replicating the password database to every device I use. And in KeePass’ options, I have all of its file integrity features enabled on save, and I have it set to auto-save and auto-lock the database whenever the window is closed, as well as after after a couple of minutes of not being used. Therefore, in the past 12 years I’ve also never had to deal with the possibility of any conflicting updates to the database across any of my devices. But just to be extra careful, about once every 6-12 months I copy the 150KB file (containing more than 500 entries) to a location that is not being synced, which takes just 1 second.
Thanks for your advice though, there is always the possibility that someone else has a much better password management system than me, and I’m always keen to hear if others are doing things in a better way, which I can then incorporate into my system. So far my system has worked quite well, as I’ve never lost a password, never had to think about what information I provided to a site when I registered (because I keep a record of that inside the associated entry too), and the speed of logging in anywhere is consistent because whether it’s an important site or a non-important site, and whether it requires a long password or a short password, it takes KeePass the same amount of time to log on, which is pretty much no time at all.
Apparently KeePass has improved a lot since I used it. If I get another contract where I have to juggle a lot of passwords, I’ll consider it. Problematic is that it seems to require either Windoze or Mono, neither of which is a given for the kind of work I tend to do.
Use a password manager, generate long and ambiguous passwords using letter, capital letters, numbers, characters like this one:
The password manager saves these for you and enters them for you in the login page. All you have to do is remember the main password to unlock the password manager.
Which Password Manager do you use, POLL: Which Password Manager do you use?
you haven’t seen captchas yet…
I’ve been using LastPass (with Firefox) for several years, and I like it a lot. Is this “KeePass” of which you speak better? I’ve been using 12 characters, mixed upper, lower, numbers, and symbols, and I have a different password for every account.
The main difference is that the Keepass password database is not stored centrally on the Web like LastPass.
I find that Keepass is better suited to technical users.
P.S. KeePass has a password generator which will handle your passwords very easily.
Here’s a review of Best Free Web Form Filler and Password Manager from Gizmo’s freeware. As is common, LastPass is rated more highly.
If you have been using Last pass then no, Keepass is not better. It is just open source and some people like to use only open source software. There is the ability to scrutinize the code and assure there are no backdoors. On the other hand, Lastpass gets their software audited somewhat regularly.
I prefer to use both LastPass and 1Password. LastPass for on the go away from home and on the mobile devices.
1Password’s database stays on the local computer and does not upload to the cloud. Its pretty much a backup to LastPass. Kind of overkill but I like redundancy with things as important as passwords.
They actually work well with each other. They both prompt to capture login information and don’t interfere with each other.
I used Roboform for awhile, V6 was the last version that kept your passwords local. V7 they started with the cloud service as the only storage option. Problem with V6, for every password saved it saved an encrypted single file for every password. Worse yet, every file was the name of the website you had a password for. Sure it was encrypted and no one could see the login details but the metadata was there and that could be a problem.
Cool, so now you’ve got every password you own, scattered all over the internet, encrypted of course. Essentially you’ve replaced hundreds of passwords with one super password or passphrase.
Now along comes something like this:
Once you’ve typed your passphrase to decrypt your passwords, suddenly somebody has access to the cleartext of all your passwords.