Same here. Strong passwords should be complicated, and never repeated on another site.
Poll: are forums password requirements too complicated?
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
-
- Level 6
- Posts: 1347
- Joined: Thu Dec 26, 2013 10:19 am
- Location: N.E. AR USA
- stephanieswitzer
- Level 4
- Posts: 235
- Joined: Mon Feb 26, 2018 12:49 pm
- Location: Ontario
Re: Poll: are forums password requirements too complicated?
I'm a little late to the discussion as I just returned from England. Anyway, online security is up to the individual, and I think that passwords are a key part of that security. I have over 170 unique passwords being managed with Dashlane. It may be a pain, but anyone who is serous about their online security should use a PW manager, unless they have one fantastic memory. And of course if a person doesn't like the PW rules of a particular web site, then they are free not to join.
Mac-Mini running Linux Mint 20.3 Cinnamon, Intel© Core™ i5-2415M CPU @ 2.30GHz
MacBookPro9,2 running Linux Mint Cinnamon 20.3 Intel Core i5-3210M CPU @ 3.20GHz
System76 Galago Pro 4, running Linux Mint Cinnamon 20.3 Intel i5-1021 CPU @ 4.2 Ghz
MacBookPro9,2 running Linux Mint Cinnamon 20.3 Intel Core i5-3210M CPU @ 3.20GHz
System76 Galago Pro 4, running Linux Mint Cinnamon 20.3 Intel i5-1021 CPU @ 4.2 Ghz
Re: Poll: are forums password requirements too complicated?
Data breaches unfortunately happen. Seems like a month can't go by without reading about a data breach at some organization, affecting hundreds of millions of accounts. To stay at least somewhat safe online, do the following:
- use a unique password for each website
- use a password manager and let it generate passwords for you
- prefer to use long passwords
- prefer to use two-factor authentication (2FA)—so that to access your account you need to know something (password) and have something (like your smartphone to generate or receive a one-time access code)
- subscribe on https://haveibeenpwned.com/ to receive notifications when a websites where you have an account is involved in a data breach
While these days most websites will be storing passwords encrypted, very short and/or very simple passwords can be brute forced individually in minutes if not seconds. Brute forcing means repeatedly guessing a password, encrypting the guess with the same algorithm as the website used and comparing the result with the encrypted password from a database of accounts obtained through a data breach.
The current length and complexity requirements were put in place (see https://blog.linuxmint.com/?p=3013) following the data breach of the forums early 2016 (see https://blog.linuxmint.com/?p=3007). Dropping the complexity requirement would mean significantly increasing the minimum length requirement to keep the passwords at the same minimum difficulty to brute force. Length trumps complexity (see https://xkcd.com/936/) but enforcing a longer length was estimated to be more inconvenient for our users. A lot was done, and continues to be done, by Linux Mint and its security partners to improve security of its websites.
With the current password requirements you can expect a single computer to need a few years to brute force it. A supercomputer will do it in a few minutes. Drop the complexity requirements and use a weak password (two dictionary words for example) and the password can be brute forced within an hour on a single computer. A supercomputer would need a couple of nanoseconds (millionths of a second). You can dramatically increase the time needed to brute force your password by increasing the length. (Increasing length from 10 to 20 characters would make a supercomputer need a few thousands years to brute force it.)
- use a unique password for each website
- use a password manager and let it generate passwords for you
- prefer to use long passwords
- prefer to use two-factor authentication (2FA)—so that to access your account you need to know something (password) and have something (like your smartphone to generate or receive a one-time access code)
- subscribe on https://haveibeenpwned.com/ to receive notifications when a websites where you have an account is involved in a data breach
While these days most websites will be storing passwords encrypted, very short and/or very simple passwords can be brute forced individually in minutes if not seconds. Brute forcing means repeatedly guessing a password, encrypting the guess with the same algorithm as the website used and comparing the result with the encrypted password from a database of accounts obtained through a data breach.
The current length and complexity requirements were put in place (see https://blog.linuxmint.com/?p=3013) following the data breach of the forums early 2016 (see https://blog.linuxmint.com/?p=3007). Dropping the complexity requirement would mean significantly increasing the minimum length requirement to keep the passwords at the same minimum difficulty to brute force. Length trumps complexity (see https://xkcd.com/936/) but enforcing a longer length was estimated to be more inconvenient for our users. A lot was done, and continues to be done, by Linux Mint and its security partners to improve security of its websites.
With the current password requirements you can expect a single computer to need a few years to brute force it. A supercomputer will do it in a few minutes. Drop the complexity requirements and use a weak password (two dictionary words for example) and the password can be brute forced within an hour on a single computer. A supercomputer would need a couple of nanoseconds (millionths of a second). You can dramatically increase the time needed to brute force your password by increasing the length. (Increasing length from 10 to 20 characters would make a supercomputer need a few thousands years to brute force it.)
Re: Poll: are forums password requirements too complicated?
Just for the info:
https://pages.nist.gov/800-63-3/sp800-63b.html
https://pages.nist.gov/800-63-3/sp800-63b.html
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: Poll: are forums password requirements too complicated?
Finally a voice of reason. Thanks xenopeek, was starting to lose hope.
Re: Poll: are forums password requirements too complicated?
Pass Phrases are what I use when allowed.
https://www.passworddragon.com/password-vs-passphrase
https://www.passworddragon.com/password-vs-passphrase
"Tune for maximum Smoke and then read the Instructions".
Re: Poll: are forums password requirements too complicated?
However a passphrase on this site would be fairly easy to guess, IE:" I love linux mint because it got me away from Windows"
"Tune for maximum Smoke and then read the Instructions".
Re: Poll: are forums password requirements too complicated?
Are the minimum requirements for password complexity sufficient to prevent easy* compromise by an attacker / hacker etc.? That is the important question for me.
Too complex? Definitely not!
*Without access to sufficiently powerful hardware such as a supercomputer such attacks would likely need to be targeted.
Too complex? Definitely not!
*Without access to sufficiently powerful hardware such as a supercomputer such attacks would likely need to be targeted.
Dell Inspiron 1525 - LM17.3 CE 64-------------------Lenovo T440 - Manjaro KDE with Mint VMs
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Re: Poll: are forums password requirements too complicated?
Well, supercomputers not, but distributed computing is readily available and fairly cheap these days, and the malicious actors compromising account databases for commercial gain will probably just task this off to a botnet, anyway.
Re: Poll: are forums password requirements too complicated?
Longer is better than complex. I think there shouldn't be a maximum allowed limit like this forum has (32 characters). It should be as long as the user wants.Neil Edmond wrote:
Same here. Strong passwords should be complicated,
Re: Poll: are forums password requirements too complicated?
I don't trust important passwords to the cloud, and I sometimes find myself needing
to access a certain account without keypass handy.
Here is an example password: Wk0cdIs wbwbam wamohn?
Both long and complicated, has upper/lowercase, numbers, and symbols but easy to remember. Here is the mental clue.
What kind of clothes do I suppose would be worn by a man with mole on his nose?
A quote from an old tv series.
This is NOT my password , just an example of the formation.
Everything in life was difficult before it became easy.
Re: Poll: are forums password requirements too complicated?
A supercomputer does it about 3 million times faster. Still takes 2.5 quintillion years. You're good.
Re: Poll: are forums password requirements too complicated?
how long would it take for a super computer to crack mine ?...DAMIEN
It would take a computer about
177 UNDECILLION YEARS
to crack your password
It would take a computer about
177 UNDECILLION YEARS
to crack your password
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: Poll: are forums password requirements too complicated?
10 million years is good enough for me.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: Poll: are forums password requirements too complicated?
And you have been alive half of that time
"Tune for maximum Smoke and then read the Instructions".
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: Poll: are forums password requirements too complicated?
Harharhar!
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: Poll: are forums password requirements too complicated?
I have a completely different perspective on all this. I don't think the forum should have any passwords.
The way I see it the NSA, CIA, the government of China, preteen Russian kids, Google, Amazon, etc.. already has access to all of my records and financial accounts. The only reason I haven't been personally harmed in any way is because once in they find it wasn't worth the trouble.
The way I see it the NSA, CIA, the government of China, preteen Russian kids, Google, Amazon, etc.. already has access to all of my records and financial accounts. The only reason I haven't been personally harmed in any way is because once in they find it wasn't worth the trouble.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
Re: Poll: are forums password requirements too complicated?
I see one really huge issue with this perspective. Scenario:
- I "log on" as you
- I say mean and disparaging things about, oh I don't know - say catweazel
- Now the moderators/administrators have a task to determine exactly who did it - just for the purposes of banning and/or disciplining me. And, if I did it from an Internet Café instead of from one of my usual machines - attribution might be an issue
Oh, and my forum password is 3 sextillion years secure - good enough for me.
Re: Poll: are forums password requirements too complicated?
Then how should we avoid users posting under other user's names, editing other user's posts and so on?
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!