Poll: are forums password requirements too complicated?

[Neil Edmond]

When I need a new password, I just have my password manager generate one and then I forget about it. I see no need for simple passwords, ever.

Same here. Strong passwords should be complicated, and never repeated on another site.

[stephanieswitzer]

I'm a little late to the discussion as I just returned from England. Anyway, online security is up to the individual, and I think that passwords are a key part of that security. I have over 170 unique passwords being managed with Dashlane. It may be a pain, but anyone who is serous about their online security should use a PW manager, unless they have one fantastic memory. And of course if a person doesn't like the PW rules of a particular web site, then they are free not to join.

[xenopeek]

Data breaches unfortunately happen. Seems like a month can't go by without reading about a data breach at some organization, affecting hundreds of millions of accounts. To stay at least somewhat safe online, do the following:
- use a unique password for each website
- use a password manager and let it generate passwords for you
- prefer to use long passwords
- prefer to use two-factor authentication (2FA)—so that to access your account you need to know something (password) and have something (like your smartphone to generate or receive a one-time access code)
- subscribe on https://haveibeenpwned.com/ to receive notifications when a websites where you have an account is involved in a data breach

While these days most websites will be storing passwords encrypted, very short and/or very simple passwords can be brute forced individually in minutes if not seconds. Brute forcing means repeatedly guessing a password, encrypting the guess with the same algorithm as the website used and comparing the result with the encrypted password from a database of accounts obtained through a data breach.

The current length and complexity requirements were put in place (see https://blog.linuxmint.com/?p=3013) following the data breach of the forums early 2016 (see https://blog.linuxmint.com/?p=3007). Dropping the complexity requirement would mean significantly increasing the minimum length requirement to keep the passwords at the same minimum difficulty to brute force. Length trumps complexity (see https://xkcd.com/936/) but enforcing a longer length was estimated to be more inconvenient for our users. A lot was done, and continues to be done, by Linux Mint and its security partners to improve security of its websites.

With the current password requirements you can expect a single computer to need a few years to brute force it. A supercomputer will do it in a few minutes. Drop the complexity requirements and use a weak password (two dictionary words for example) and the password can be brute forced within an hour on a single computer. A supercomputer would need a couple of nanoseconds (millionths of a second). You can dramatically increase the time needed to brute force your password by increasing the length. (Increasing length from 10 to 20 characters would make a supercomputer need a few thousands years to brute force it.)

[Pippin]

Just for the info:
https://pages.nist.gov/800-63-3/sp800-63b.html

[gm10]

Finally a voice of reason. Thanks xenopeek, was starting to lose hope.

[HaveaMint]

Pass Phrases are what I use when allowed.
https://www.passworddragon.com/password-vs-passphrase

[HaveaMint]

However a passphrase on this site would be fairly easy to guess, IE:" I love linux mint because it got me away from Windows"

[BG405]

Are the minimum requirements for password complexity sufficient to prevent easy* compromise by an attacker / hacker etc.? That is the important question for me.

Too complex? Definitely not!

*Without access to sufficiently powerful hardware such as a supercomputer such attacks would likely need to be targeted.

[gm10]

*Without access to sufficiently powerful hardware such as a supercomputer

Well, supercomputers not, but distributed computing is readily available and fairly cheap these days, and the malicious actors compromising account databases for commercial gain will probably just task this off to a botnet, anyway.

[Schultz]

Neil Edmond wrote:
Same here. Strong passwords should be complicated,

Longer is better than complex. I think there shouldn't be a maximum allowed limit like this forum has (32 characters). It should be as long as the user wants.

[all41]

Neil Edmond wrote:
Same here. Strong passwords should be complicated,

Longer is better than complex. I think there shouldn't be a maximum allowed limit like this forum has (32 characters). It should be as long as the user wants.

I don't trust important passwords to the cloud, and I sometimes find myself needing
to access a certain account without keypass handy.
Here is an example password: Wk0cdIs wbwbam wamohn?

pwstrength.png

Both long and complicated, has upper/lowercase, numbers, and symbols but easy to remember. Here is the mental clue.

What kind of clothes do I suppose would be worn by a man with mole on his nose?
A quote from an old tv series.
This is NOT my password , just an example of the formation.

[xenopeek]

A supercomputer does it about 3 million times faster. Still takes 2.5 quintillion years. You're good.

[DAMIEN1307]

how long would it take for a super computer to crack mine ?...DAMIEN

It would take a computer about

177 UNDECILLION YEARS

to crack your password

[catweazel]

177 UNDECILLION YEARS

10 million years is good enough for me.

[HaveaMint]

177 UNDECILLION YEARS

10 million years is good enough for me.

And you have been alive half of that time

[catweazel]

177 UNDECILLION YEARS

10 million years is good enough for me.

And you have been alive half of that time

Harharhar!

[altair4]

I have a completely different perspective on all this. I don't think the forum should have any passwords.

The way I see it the NSA, CIA, the government of China, preteen Russian kids, Google, Amazon, etc.. already has access to all of my records and financial accounts. The only reason I haven't been personally harmed in any way is because once in they find it wasn't worth the trouble.

[srq2625]

I have a completely different perspective on all this. I don't think the forum should have any passwords.

I see one really huge issue with this perspective. Scenario:

1. I "log on" as you
2. I say mean and disparaging things about, oh I don't know - say catweazel
3. Now the moderators/administrators have a task to determine exactly who did it - just for the purposes of banning and/or disciplining me. And, if I did it from an Internet Café instead of from one of my usual machines - attribution might be an issue

Just sayin'

Oh, and my forum password is 3 sextillion years secure - good enough for me.

[Moem]

I have a completely different perspective on all this. I don't think the forum should have any passwords.

Then how should we avoid users posting under other user's names, editing other user's posts and so on?

[gm10]

I have a completely different perspective on all this. I don't think the forum should have any passwords.

Then how should we avoid users posting under other user's names, editing other user's posts and so on?

anarchy now.jpg