Poll: are forums password requirements too complicated?

[Moem]

Anarchy? Naw.

[Faust]

Is it just me , or has this become the silliest thread in some time ?

And there have been some strong contenders for that dubious accolade recently .

Example :- the member who posted about searching for a secure browser , then argued against all the sound advice given .....

Edit : @jimallyn

I don't mean you ....
I fully support this as being a good thread/poll starter , especially in the light of the idiotic comment that I suspect may have prompted it .

[kukamuumuka]

Does phpBB allow alhabeths like äöå with password?

[gm10]

Does phpBB allow alhabeths like äöå with password?

heh, yeah, just allow the full unicode range and your complexity goes through the roof. Plus I could log in with something like this:



Make it so, karlchen.

You'd still need to keep a minimum length because just because you can use it doesn't mean someone won't use 1234 as their password, regardless.

[BG405]

You'd still need to keep a minimum length because just because you can use it doesn't mean someone won't use 1234 as their password, regardless.

I know a lot of people use swear words, or acronyms thereof .. including a few in the medical profession Wonder how easily guessed these are (even if they also contain random characters)?

[gm10]

You'd still need to keep a minimum length because just because you can use it doesn't mean someone won't use 1234 as their password, regardless.

I know a lot of people use swear words, or acronyms thereof .. including a few in the medical profession Wonder how easily guessed these are (even if they also contain random characters)?

Depends on the random characters, modern password crackers will use rainbow tables calculated from wordlists generated with the common substitutions and additions in mind. And that's pretty much the only bar you got to pass unless you've got really important data hidden behind that password. Nobody spends time actually brute-forcing password lists from random websites. The percentage of passwords found just using rainbow tables/pre-computed word lists is way too high for that to be worth it, plus often they got into the system using some vulnerability and manage to will try to snag your unencrypted password instead.

It's different for individual passwords. Like when your neighbor wants to get into your WLAN then they'll brute-force that password for sure (although issues with the protocols often allows to greatly reduce complexity required for forcing it).

[BG405]

Like when your neighbor wants to get into your WLAN then they'll brute-force that password for sure (although issues with the protocols often allows to greatly reduce complexity required for forcing it).

Hopefully that risk will be mitigated by using MAC filtering, but I suppose they could be spoofed, too.

[gm10]

Like when your neighbor wants to get into your WLAN then they'll brute-force that password for sure (although issues with the protocols often allows to greatly reduce complexity required for forcing it).

Hopefully that risk will be mitigated by using MAC filtering, but I suppose they could be spoofed, too.

Well, for any serious attempt cloning the MAC to one of an existing client would be the first thing you do, both to circumvent MAC filters - you might even get lucky and find an idiot who uses the MAC as their only authentication measure so get in without any effort - and to not show up as a third-party in their logs (should they have any). Your MAC isn't secret, it goes over the air for everyone to see (and clone).

In other words, MAC filtering is no security measure.

[xenopeek]

Time to go for WPA3.

[BG405]

In other words, MAC filtering is no security measure.

On its own, no, but it must help when combined with a decent password & range limiting (if that actually works). Would someone NOT logged in to your network be able to see the MAC addresses of machines you have connected via WiFi? In that case it would be better to use Ethernet instead, which I do anyway for large file transfers.

[gm10]

In other words, MAC filtering is no security measure.

Would someone NOT logged in to your network be able to see the MAC addresses of machines you have connected via WiFi?

Of course. Everybody capable of receiving your devices' radio waves (i.e. everybody in your block at least) will know your MAC address, and that's not the only thing.

So let me repeat with emphasis: MAC filtering is no security measure. Not even a little.

[BG405]

Of course. Everybody capable of receiving your devices' radio waves (i.e. everybody in your block at least) will know your MAC address, and that's not the only thing

Thanks for that valuable information.

I didn't realize it was THAT open, but it does make sense. It IS the primary machine (hardware device) identifier, after all, I believe.

I think xenopeek's suggestion may be a good one at this point.

[gm10]

I think xenopeek's suggestion may be a good one at this point.

Sure, but the MAC thing won't change with that. And while WPA3 will be quite a big step forward (no more lazy passive drive-by brute-forcing of all networks in your area, now you'll have to run active attacks), and despite it forcing encryptio now, don't get lulled into a false sense of security, always run additional encryption on top of the link where possible.

Besides, there's still even WEP networks around, WPA2 devices will stay around for years to come and WPA3-only networks will be super rare for quite a while yet.

[BG405]

Sure, but the MAC thing won't change with that. And while WPA3 will be quite a big step forward (no more lazy passive drive-by brute-forcing of all networks in your area, now you'll have to run active attacks), and despite it forcing encryptio now, don't get lulled into a false sense of security, always run additional encryption on top of the link where possible.

I do appreciate that it won't affect the MAC issue, however it would be good to discuss the encryption options. I think this would be better done in another thread though, if that's OK, unless it's already been covered elsewhere on the forum & I've missed it. Sorry I appear to have derailed the thread ..

[Valsodar]

It has been suggested that the forums password requirements are too complicated:

Password must be between 10 characters and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

What do you think?

Nope. My passwords usually exceed the minimum number of characters and the rest of the requirements, even if the website doesn't have any requirements.