Who did come up with this anti-human anti-linux "security measure" for password requirement in this board?

[Waffa]

It seems the security level for a password, is higher here then in government portals and in ALL popular social media and largest websites in world.

Who are these kind of people who work so hard, to eliminate new people to join in Linux Mint forum and community ?
Can there be more frustrating thing then told over and over again, that Your password is not sufficient (even if that is like 9'some characters in combination of small and big letters and numbers, and then top of all, after you make up some 17 character password, to just use once, as who would remember it second time, it tells, is still not sufficient as it needs special characters. )

To add to a insult, it will NOT say what requirements are but lets you get face f ked by every new try.

Perhaps only thing what is missing, is to send passport copy and confirm home address to add more security, preferably would humans need to fly by airlines in future to confirm in person with fingerprint to get this last layer of security to access freacting one of the many kind, online tech forum of one of the popular linux distributor.

And this google "find store fronts and stoplights" ... find again... find again... top of that.

I am so pissed off for these kind of exclusionary retarded security features that totally forgot now for what i even come here. And as my browser has error to not save cookies will not be even able to access here with out password reset second time.

Can You at least be a BIT more human, who ever come up with this method to scare of people, and add requirements in the BEGINNING of password box, to lessen the emotional damage

[karlchen]

Hello, Waffa.

Welcome to the Linux Mint forum. It is really nice that you only joined in order to tell us we should loosen our password requirements.
Why only does your post remind me of a similar post and thread, which we had only recently? Cf. Password to log in here....
In brief words:
There is only one thing, which beats a unique, strong password. This is an even stronger password.
There are password managers around, which help manage strong passwords, without having to remember strings, which 99,9% of all humans will not be able to remember.

Best regards,
Karl

[rene]

There are password managers around, which help managing strong passwords [ ... ]

Password managers which, mind you and as also mentioned in that previous thread, would generally shake their collective heads at the silly overblown requirements here on the Linux Mint forum. I.e., "Word!", OP.

[Flemur]

Can there be more frustrating thing then told over and over again, that Your password is not sufficient

I don't think anything could be more frustrating than that!

Here's what you see @sign-up:

"Password:
Password must be between 10 characters and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols."

Seems pretty clear and straight-forward to me...except perhaps: does the password require more than one letter (yes, because mixed case), more than one number, and more than one symbol? If not, the instructions are incorrect.

[karlchen]

Hello, Waffa.

I just checked the register page in order to verify whether your statement below could be true.

To add to a insult, it will NOT say what requirements are but lets you get face f ked by every new try.

Right below the word "Password" the following requirements are laid out:

Password must be between 10 characters and 32 characters long,
must contain letters in mixed case,
must contain numbers and
must contain symbols.

So the requirements are not kept secret.

So let us create a sample password, which should fulfil the 4 requirements:

1. Length between 10 and 32 characters. Lazybones who I am I will not want to type 32 characters, but try something shorter, but not shorter than 10 characters: securityisannoying - 18 characters, should be sufficient
2. Must contain letters in mixed case. Oops, all lowercase will not do. Need to mix uppercase and lowercase: SecurityIsAnnoying - Should do.
3. Must contain numbers. OK. Need to add a minimum of 1 number or replace a letter by a number: Security15Annoying - Should still do.
4. Must contain symbols. Hm. May not be quite so obvious. But as far as I know, any character, which is not alpha-numerical, neither character, nor number, will qualify as a symbol: Security-15+Annoying - Should do.

Actually, the requirements are what you will frequently come across and not that hard to fulfil.
And as mentioned before, there are password managers around, which will permit you to use complex passwords without having to remember them.
And you should not be complaining about us forcing you to use complex passwords, but about the bad guys, who keep on trying to harvest your login credentials and who will appreciate, if you use simple passwords, which are on top of password lists.

Regards,
Karl

[trytip]

you should try to create an account for the Arch Linux or Antergos Linux forums. if you think this is annoying, try creating an account while you block cookies by default and with a lot of other privacy extensions and using a hosts files.
i'm sure it's gotten worse since i created my account here, and i do feel your pain. i told the antergos forum that the developers were on drugs, and to this day i still have to admit that the Antergos linux forum is the worst layout in the linux community. but that's just my opinion (shared by many at the same time)

[karlchen]

Hi, trytip.

Encouraging users to use unique passwords for each service and encouraging them to use complex passwords is an appropriate step, just like encouraging people driving in a car to fasten their seatbelts.
Yet, the website owners should not put the whole load on the users' shoulders only. The minimum step, which website owners should do in order to make hacking as hard as possible is limiting the number of successless login attempts to some low, but reasonable value like 3 or 5 failed attempts.
If you only have a low number of tries to guess or brute-force a password, then passwords do not have to be overly complex.

Still, with password managers being around, managing complex passwords is no big hassle. So I really do not appreciate this whining about the oh so unreasonable complexity rules, preferrably by those people, who completely fail to see that in the internet they are surrounded by sharks. (This statement is not addressed to you, trytip. No attempt of defending whatever the website admins do in the Arch forum, because I do not know what their requirements are.)

Regards,
Karl

[trytip]

password managers are fine if you are rooted to your seat in front of your pc. if you're out and about on a mobile phone or at friends house, good luck tying to remember. even so, using a password manager can also backfire as i have seen threads where passwords were hijacked, so nothing is 100%.
carrying a little black book with all your passwords around, or a text file on your phone can also backfire.

and even more so, how many breaches of security have we seen lately with millions of passwords leaked and userdata being compromised. encouraging people to fasten their seat belts is not the same, that's an active life hazard. if my passwords were hacked i can live with that or without that account.

[rene]

Still, with password managers being around, managing complex passwords is no big hassle.

Was typing when trytip also was, but, yes, definitely:

If and only if you're always on a system with access to said manager, and where getting access would not in fact be the much bigger security issue. I.e., unlocking your vault on an unfamiliar system --- and even when chances of this being an actual problem would be slim: as long as its not a private system there's always an issue there.

And yes, not logging into the Linux Mint forums specifically on any such system is a valid answer seeing as how nothing on the forum would be important enough to need immediate attention, but generally speaking it is not a valid answer for anyone who's not always just on a personal system. Memorizing one or two complex passwords so as to forego the need for manager access is doable -- but then you in these mobile times run into "keyboard" issues where you may need to ask owner to even be able to locate a method of inputting the symbol, what with the device for example being set to a language with an unfamiliar alphabet.

Yes, that gets rather specific, and I'm sure many don't mind. But for those that do the thing is that very specific requirements are not more secure but less so. Ninety percent, say, of security is not technical but psychological. And what happens in practice rather than theory is that annoyed people for example use a single standard 12-symbol password shared over sites with stringent requirements specifically due to those specific sites not fitting their normal systems. That they violate the thousands times more than symbol-requirements important rule of using unique passwords. This is what always happens. Security is psychology, only in a more minor sense technology. Go past a certain threshold and psychology guarantees that you make those you supposedly aim to protect less secure rather than more by annoying them into obstinacy.

(I promise that was the last thing I will ever say on the subject of forum passwords here though)

[karlchen]

Trytip and rene.

I guess, we can agree that website owners are frequently doing a very poor job when it comes to protecting their customers' data. Else it would not be possible to collect millions of customer data records in one go and in brief intervals.
They are bullying their users to use complex passwords and incorrectly assume that were enough to make their websites and cloud servers safe. As the huge amount of leaked customer data suggest the assumption is absolutely incorrect.

Cheers,
Karl

[cliffcoggin]

I don't understand why anybody would sit in front of one of the most complex data manipulation systems ever invented, but not use it for data manipulation. In other words, let your computer do the hard work of managing passwords by installing a password manager.

[rene]

Hnnnnng! "If and only if [ see above ]".

[Raycoupe]

I completely understand the frustration of TS with passwords in general, but ranting about it here is blaming the wrong guys.

Personally I don't like passwordmanagers, since they are cumbersome if you don't use the same computer all the time.

Unfortunately I've got just a little short of a hundred accounts, since you can't even get TV subscription, electra or anything without a my.... website account. I don't even bother any more making up different passwords for accounts where little damage can be done like fora, webshops, TV/ISP providers, etc.

Heard that the guy who thought up this policy of passwords with special characters, captitals etc, regrets it deeply, since most people do the same as I do. Ah, here is a link in English about the guy: https://www.wsj.com/articles/the-man-wh ... 1502124118

These password policy's even prevent me using long sentences as a passwords, which would be a solution. There simply seems to be no standard, but this strange and very restrictive policy by the National Institute of Standards and Technology.

I really don't understand why the industry hasn't come up with a better solution since 2003. Personally I would like something like a physical usb key, but for now, that doesn't work on most accounts and *sigh* that's the case with all alternatives, they are not working for all accounts.

Current way of doing passwords might be cumbersome for some one like me, but for older people and folks less tech savvy it's horror.

[rene]

Microsoft is heading in the general direction of replacements for passwords such as through, indeed, physical keys. F.e. https://www.microsoft.com/en-us/cloud-p ... sswordless, although I recently read a better account of what they were doing; can't find it again currently. Yes, the current situation is too much of a disaster, and I would as such expect that fundamental change will/should in fact be coming.

Here by the way the text of Raycoupe's link for those of us without WSJ: https://www.reddit.com/r/pwned/comments ... les_has_a/

[Schultz]

I wonder if this poster won't come back to read the responses just like the other that karlchen linked to.

I just don't get it . . . a short sentence which begins with a capital letter, has a number, and ends with either ? or ! or. It really isn't that hard. Or am I just a super genius? Hey, there's one: Iam1supergenius! 16 long, a capital, a letter, and a special character.

[rene]

You can basically go by the rule of thumb that if you can in fact remember a password it won't stand up against determined attack. Offline attack, in the sense of it being available for continuous prodding. Computers or computer-clusters, and to some degree including those available to criminals, have gotten fast enough for that, mostly driven by the involved computations needed for 3D graphics also in the consumer-space.

That is, what I'm saying is that your genius password that gets through the forum requirements isn't in fact all that secure. A number requirement does nothing other than add 10 possibilities to the alphabet; a symbols requirement not much more in practice given that 10 symbols will make up approximately 99% of all symbol use in passwords. Going to passphrases can do much more simply as a matter of length but memorable ones would be rejected here, even though potentially more secure.

And that's the point really. There is no or hardly any basis for very specific requirements in the first place but lots of basis for saying they actually tend to make quite a few of us less secure in the sense of they/we forcibly foregoing much more important issues due to them not fitting the largely random and quite unfounded rules some government report once managed to enumerate. Yet, closing in on a decade now, everyone just keeps on parroting the same old stuff, safe in feeling able to follow some set of nicely numbered guidelines rather than having to in fact use a brain.

Don't get me wrong: I'm quite old enough to know that part is not exactly unique to IT...

[karlchen]

Hi, Schultz.

First of all, we had been suspecting since long that you might be a supergenius.
Second, the issue with just one single ingenious password is that hardly anyone of us has got only one account. So we need more than one supergenious. We need several such ingenious passwords. Because from my irrelevant point of view, it is much more important for my own security that my passwords are unique per account than that they are extremely complex or that they are changed in ridiculously low intervals like once per months.
I am glad I have not reached the number of 100 accounts like one of the posters a few posts above. Yet, I am on my way there.

Cheers,
Karl

[rene]

Because from my irrelevant point of view, it is much more important for my own security that my passwords are unique per account than that they are extremely complex or that they are changed in ridiculously low intervals like once per months.

QFT.

[Schultz]

rene wrote:
That is, what I'm saying is that your genius password that gets through the forum requirements isn't in fact all that secure.

I know it's not. I would never use one like that. I would recommend the correct-horse-staple-battery rule to anyone who has to make a new password. I just gave that as an example because the OP obviously doesn't care about security.

[lsemmens]

What about all the security requirements to get into your car, and drive away, especially if it's raining! Fancy having to find a key in the rain, then fumble for the lock to open the door, bugga! wrong key, Fumble again and drop them! Sh*****t! Found them! And the right key this time. Now that you are sopping wet, you are sitting in your nice dry car and you've now got to put the key in the ignition and.......wait for it..........still waiting.............still waiting.........(no, the battery isn't flat - fortunately) the car starts. You sitting in a dry car shivering your little butt off waiting for the heaters to work.

And here you are worrying about a little security?