New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
You need at least one uppercase letter in that bad password.
-
- Posts: 1562
- Joined: Tue Oct 20, 2015 12:50 pm
- Graphics Processor: nVidia with Vulkan support
- Location: Kozolupy, Bohemia
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
What's up with the password enter page here? I needed 5 tries to finally get through it and it wouldn't work with Firefox's securely generated passwords, apparently they are not long enough.
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
2FA will drive away people for sure. Myself included. I find Discord's verification mails barely acceptable, but if something requires 2FA I'll be gone - with the sole exception of my online banking access. I have already quit some services once they started requiring installing shit on my smartphone.ramon.dexter wrote: ↑Wed Jan 18, 2023 10:02 am What about normal password and twofactor authorization?
-
- Posts: 1562
- Joined: Tue Oct 20, 2015 12:50 pm
- Graphics Processor: nVidia with Vulkan support
- Location: Kozolupy, Bohemia
Re: New Password Requirements and Password Reset
Graf Zahl: well, I meant something like link sent in email, no local app in computer.
-
- Posts: 1748
- Joined: Fri Sep 23, 2005 9:17 am
- Location: Czech Republic
Re: New Password Requirements and Password Reset
20 characters is just stupid, like that will stop database breaches. It just makes the password unwieldly for use.
-
- Posts: 1562
- Joined: Tue Oct 20, 2015 12:50 pm
- Graphics Processor: nVidia with Vulkan support
- Location: Kozolupy, Bohemia
Re: New Password Requirements and Password Reset
No, 20 characters is just too long to remember. And yes, I come from the old times where the password manager was called 'memory'.
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
Of course you can remember 20 character passwords, just use passphrases, like "IAmTooLazyToRememberMyPasswords00"
(Ok, that one's not secure anymore now that I posted it, but I hope you get the idea.)
Also, the old times when the password manager was called "memory" is precisely where all these insecure passwords come from that occasionally get hacked.
It's still a lot easier to remember a handful of words than a random sequence of characters.
(Ok, that one's not secure anymore now that I posted it, but I hope you get the idea.)
Also, the old times when the password manager was called "memory" is precisely where all these insecure passwords come from that occasionally get hacked.
It's still a lot easier to remember a handful of words than a random sequence of characters.
-
- Posts: 1748
- Joined: Fri Sep 23, 2005 9:17 am
- Location: Czech Republic
Re: New Password Requirements and Password Reset
That too. A short sentence is better than number. I hate when pages want upper, lower, special and number, but don't let you have a whitespace.
-
- Posts: 516
- Joined: Sat Aug 19, 2017 11:52 pm
- Graphics Processor: nVidia (Modern GZDoom)
Re: New Password Requirements and Password Reset
I couldn't agree more!Graf Zahl wrote: ↑Wed Jan 18, 2023 10:33 am 2FA will drive away people for sure. Myself included. I find Discord's verification mails barely acceptable, but if something requires 2FA I'll be gone - with the sole exception of my online banking access. I have already quit some services once they started requiring installing shit on my smartphone.
-
- Posts: 1562
- Joined: Tue Oct 20, 2015 12:50 pm
- Graphics Processor: nVidia with Vulkan support
- Location: Kozolupy, Bohemia
-
- Admin
- Posts: 6191
- Joined: Thu Feb 26, 2004 3:02 pm
- Preferred Pronouns: He/Him
Re: New Password Requirements and Password Reset
Longer actually is better when it comes to passwords.
If the password database is stored correctly, all that leaks would be an encrypted table of hashed/encrypted passwords. The longer those passwords are, the longer it'll take to brute-force them into plaintext. Each additional character adds an exponential amount of complexity. This is where most leaks come from.
Compromised accounts on this forum are coming from people who use old, insecure passwords which bots already have in The Big List Of Cracked Common Passwords And Usernames. This makes it a lot easier for a bot to just try a bunch, especially if that person used the same password on other sites that were already leaked and cracked. By making our requirement longer than other sides, it's less likely that the same password gets reused.
Phrase-based passwords are... fine. Unfortunately they're also a known factor in password cracking, meaning that it's possible to attack them by simply listing a bunch of words from the dictionary together, so CorrectHorseBatteryStaple, although technically 25 characters, is actually more like a 4-character password where the number of possible "letters" is "semi-common english words".
These days, some kind of password manager is pretty much a necessity. Most browsers (and mobile platforms) actually have good built-in ones, so there's no need to use 3rd-party databases and paid apps like LastPass unless you want extra features. Generating passwords can be done easily with various free services (which avoids the problem like we've seen here that FireFox doesn't generate enough characters and isn't customizable). That said, I do like LessPass because it allows algorithmically generating passwords on-the-fly using some "master password" as a hash, so you really only need to remember one password, and it doesn't need to keep a database either. PasswordCard is also a very good choice if you like physical reminders but still want to practice proper security.
I wouldn't mind 2A support if it's optional. OAuth is an open free standard so there's plenty of one-time-code generators which don't have any sort of tracking or online database features, you don't need to use Google Authenticator or the like.
If the password database is stored correctly, all that leaks would be an encrypted table of hashed/encrypted passwords. The longer those passwords are, the longer it'll take to brute-force them into plaintext. Each additional character adds an exponential amount of complexity. This is where most leaks come from.
Compromised accounts on this forum are coming from people who use old, insecure passwords which bots already have in The Big List Of Cracked Common Passwords And Usernames. This makes it a lot easier for a bot to just try a bunch, especially if that person used the same password on other sites that were already leaked and cracked. By making our requirement longer than other sides, it's less likely that the same password gets reused.
Phrase-based passwords are... fine. Unfortunately they're also a known factor in password cracking, meaning that it's possible to attack them by simply listing a bunch of words from the dictionary together, so CorrectHorseBatteryStaple, although technically 25 characters, is actually more like a 4-character password where the number of possible "letters" is "semi-common english words".
These days, some kind of password manager is pretty much a necessity. Most browsers (and mobile platforms) actually have good built-in ones, so there's no need to use 3rd-party databases and paid apps like LastPass unless you want extra features. Generating passwords can be done easily with various free services (which avoids the problem like we've seen here that FireFox doesn't generate enough characters and isn't customizable). That said, I do like LessPass because it allows algorithmically generating passwords on-the-fly using some "master password" as a hash, so you really only need to remember one password, and it doesn't need to keep a database either. PasswordCard is also a very good choice if you like physical reminders but still want to practice proper security.
I wouldn't mind 2A support if it's optional. OAuth is an open free standard so there's plenty of one-time-code generators which don't have any sort of tracking or online database features, you don't need to use Google Authenticator or the like.
-
- Posts: 1420
- Joined: Wed Jun 01, 2011 10:25 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): Windows 10
- Graphics Processor: nVidia with Vulkan support
- Location: Castle Wolfenstein
Re: New Password Requirements and Password Reset
This seems to be a good idea i myself make it a point for me to change my passwords once a year only thing i have a gripe with is the 20 character long password generator lol
-
- Lead GZDoom+Raze Developer
- Posts: 49183
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
That might be true if there were merely 50 or 60 English words. But even with an available dictionary of just 1000 words a 4 word passphrase would have 1000 * 1000 * 1000 * 1000 permutations. This will far more quickly explode into unmaintainable dimensions than short words. Add one word that makes sense only to you and it's gonna be even harder to crack it with a brute force dictionary attackCaligari87 wrote: ↑Wed Jan 18, 2023 11:39 am Phrase-based passwords are... fine. Unfortunately they're also a known factor in password cracking, meaning that it's possible to attack them by simply listing a bunch of words from the dictionary together, so CorrectHorseBatteryStaple, although technically 25 characters, is actually more like a 4-character password where the number of possible "letters" is "semi-common english words".
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
especially if the word isn't in the dictionary, or an acronym you made up.
If you cannot remember your password then it doesn't matter how long it is. And don't say "the password manager will!". Maybe I need to login to smth critical on a new device. (I bought it new) if I can't remember it then I'm locked out.Caligari67 wrote: Longer actually is better when it comes to passwords.