SoylentNews is people
SoylentNews
The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 2, Interesting) by Anonymous Coward on Friday August 19 2016, @07:59PM
Quantity is more important than quality. Anything over 16 characters is going to be practically secure for longer than it takes for the password db/authentication mechanism to be exploited and the plaintext retrieved/captured.
The only time the added security of mixed case and non-alphanumeric characters adds a benefit is when you happen upon one of those dumb sites that is still using 8-12 character strong passwords, and honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
But maybe I am silly for thinking that way.
(Score: 3, Funny) by SomeGuy on Friday August 19 2016, @08:14PM
Yes, very silly. You forget that the system needs to LOOK secure, even if it isn't (also see: TSA).
Incidentally, your new password is: ^7j\%_kt%{s/Pn#Zm.D6b+xU{;>?WRh},wyCNM',&,(2hfJsCsMW7$G_,wGw36bF7jg$8sa/#fd(.vPN7nJN+4:^,8.yrQCE\;Q6VT(Twn)hC+a].$HgQNVdr&3E\b&~ZPW}eC#HrFTy(;3Ltk}^WD#])^@WDH``mu~BrX;s+bc7Hx%}+/hW3aqh;k&^Xa#bUCPY.n;TSaGs$#:cgEq4]55!"K;}.fP!Hm2~F4m5}`:f%,*2S7&GHt:tJ=N_s2nc~=_S'-epge75bJCC(N2/B}!F>H(D_*RL@z6#E5s{)*D/;9tEs,X)hgp]Lhn?b#.F7Jm7?`y28#[5"7>:x4$p`,>;a(EKLq*4ezgY_Ef[EMcz5yeg^(tr"&U/p_;-,#gTJq>$_q=u!2jF&?]Ude*C9J`7;~G(9F~AzB2&(D=uG7\n_aERgf+5K;eR:Ax/zeHZfKF5jE[)D^VyD&tQ:(tzh[f`$XBdQ9z:.Yp)X+wMA_$a='^#Yc^8FUj=!]NntSeQG7chPa*>Nmkg?MjSg+k^=U3[ux\M36]kXPQxj&CjYdh]h{'5qMS]362H5^$K%&bD'3;KgP2@NfkS$KfL{=p`mJ]LEP4?y(d/&(H/jP]zH?g-:.^jxT8VAT!BacZf';X>DK/M$*4V3hYR!66j/K;$8`X~7}Cgya~~$ZTcKVFXt.7W($=GGf]Mxg*pQ,=fAJ/\YbQy-9)qDSNpja"N6rLjYsRVF=hrVk`jFRY/Vpj#UWfL4Ae4q_&QNnEc)W;F5A{jUTZ\]Q>k+a"p8t"TS=V34~nku!MVhnc5'qrJW%WKTD*V+bK,2dnP[fsESG#gN"3`+%}Ds]#tV`2C4Lm/McqS+Bxy>dgCVyq/xQh?T:$K{a>K\%DXYK'_$/c$!"WbMe[hRkWUFLv=N]HjJ!PY62*L);F7+3BqUPM
You must not forget it, and you are not allowed to write it down.
(Score: 1, Funny) by Anonymous Coward on Friday August 19 2016, @08:29PM
There was a time when I used to tell people to change their random password to something they could remember. They never did. Instead they blamed me when they couldn't remember their random password. I don't bother to tell people anything anymore.
(Score: 4, Funny) by Whoever on Saturday August 20 2016, @01:21AM
His password is Perl code?
(Score: 2, Insightful) by Anonymous Coward on Friday August 19 2016, @08:22PM
Quantity is more important than quality. Anything over 16 characters is going to be practically secure for longer than it takes for the password db/authentication mechanism to be exploited and the plaintext retrieved/captured.
The only time the added security of mixed case and non-alphanumeric characters adds a benefit is when you happen upon one of those dumb sites that is still using 8-12 character strong passwords, and honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
But maybe I am silly for thinking that way.
Unfortunately you are being a bit silly, or at least overly simplistic. Consider the following two systems.
1) A system which requires passwords exactly 16 characters long (huge quantity, as you described above). The system will only allow 0 and 1 as data input.
2) A system which requires passwords exactly 8 characters long. The system will allow all alphanumeric characters.
Assuming users were using the system correctly (so no passwords of "0000000000000000" or "password"), which is easier to crack?
The length, complexity, and everything else doesn't matter as much as password entropy. There is a lot of information theory behind this, but the simple example can be seen at XKCD [xkcd.com].
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @02:55AM
honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
Which is why I don't bother with secure passwords for many online sites.
Why waste time creating and entering strong passwords when it's far more likely that such sites regularly get pwned. Just look at history. Car analogy: it's like paying to install stronger door locks on a soft top convertible when there's been a history of thieves not bothering with the doors to steal convertibles.
Don't use stupidly weak passwords which are guessable and don't use the same passwords for sites that count and that's enough. Which attacker is going to brute force your weak but hard to guess password over the network? It'll look like a DoS/DDoS attack! If they are brute forcing it locally then the password doesn't really matter already.
And even then, so what if your password on some forum is password12345? Someone can pretend to be you? It might make you even safer since you could plausibly say someone hacked your account and posted illegal stuff :). Whereas if your account is supposedly so secure with two factor auth etc and all that and one day it's used to posting child porn (due to some unknown flaw), they might not believe you when you say it wasn't you (even if it really wasn't you!).
There's also getting access via the "helpful" Support Team. Often you can take over someone's account by just calling support: http://imgur.com/WszA4Cw [imgur.com]
See also: https://www.youtube.com/watch?v=bjYhmX_OUQQ&feature=youtu.be&t=2m13s [youtube.com]
http://fusion.net/story/281543/real-future-episode-8-hack-attack/ [fusion.net]