This is a perfectly valid request and I fully understand that, honestly. The problem is, people nowadays do not feel responsible for anything anymore. This is why we have insurance, etc. Of course, this is not the case with everyone, especially not on this forum, I hope, where we have a lot of great old school people, who still know what LIFE means, without having received an iPhone 11 when they were 12 years old.
That said, the reason for such validations are that the cost for the user on average is much lower than what would happen when there were no restriction on average.
See, I emphasize the words on average because to you it seems like a big cost, but to most users combined, it is a (very) low cost. So in this case, I guess the majority wins, even if a minority has to suffer from the consequences.
P.S.: A hacked forum account might not be an issue too big for the user. However, if a high level account is hacked, the forum can suffer huge spam situations. So this is another reason why it is really NOT good for the forum itself, if accounts get hacked. It’s not only about the user losing access to their account.
I understand your view point and the risks involved.
What I am trying to say is specifically about the user password of itsFOSS community website and not any of the high level accounts.
I really don’t understand the difference in making it compulsory instead of voluntary to have a 10 character password or 8 character password . Maybe websites can take a leaf out of @Pac2m43 book / post and make 18 characters a minimal and then raise it every year (by whatever increments they like. I assume 32+ won’t be a limit either) to safeguard the average.
Also, My emphasis was on the freedom of choice which got lost somewhere in my rant earlier.
I left Microsoft Windows because I had the freedom to do so.
I chose Linux because I had the freedom to do so.
Now just think if someone had the authority to select which OS is good for me based upon Majority or average then would I have ever been able to learn and embrace Linux instead of Microsoft Windows? (for this you may go back a few years).
This is a Discourse install and by default, Discourse uses a 15 character password limit.
Some user requested it to be reduced to 10 and hence the password limit is set to 10 characters.
Now coming to your question: what is a good password length?
There is no clear answer. Even if the forum is hacked and the database leaked, the passwords are hashed. Of course, that can be broken as well and this is where password length matters. Cracking a lengthy password will take more computing power and time.
Actually, what I meant by “high level accounts” is already included right here, on the It’sFOSS forum. If someone hacked @abhishek’s account or mine, they could spam as much as they want or even change forum settings. So this would be already very harmful to the forum.
I still agree with you regarding your or Abhishek’s account security but nobody is stopping you guys from creating a 12 or 14 character Strong password. Those who need security and are aware of it may have a stronger and more complex password.
What I am insisting upon is the minimum password length limit.
If it is 10 then also you and Abhishek can have a 12 or 14+ character password and nobody is stopping you.
I am being stopped from having a less length password because someone thinks that below 10 is insecure. Many websites even allow 8 character as minimum.
If you look at these expert sources, you see that password length plays the biggest role in terms of security.
If you have a really long password (32 characters and more) then you do not even need that complicated and weird characters. So I hope this answers your questions as why there is a decision on a certain minimum length, which is absolutely not just arbitrairily chosen.
I have Firefox setup so every website I visit including this one gets opened like an app, nothing to do with Ice Apps though similar, it’s this one thing that keeps me coming back to the XFCE environment. When it comes to Passwords Firefox has them locked away for me to automatically go to the website of choice and automatically logged in. Here is a look at my desktop, across the top are my website links from the left on wards.
To set these up you have to go to every website login and copy and paste the URL then find a suitable icon for the app. With ice apps it’s a private window, but this which I’m demonstrating opens instantly, rather than waiting for a default browser window to open. Also it saves clogging up the browser with shortcuts or tabs. I’ve always setup my Linux like this. Passwords are important to not be so easy as a lot of people make the mistake of using 1234 as their password. Firefox has a password maker inbuilt, with over forty odd characters though don’t quote me on that, it just looked a lot when Firefox asked if I would consider using one of their made up ones. So all of my websites on here and all my other computers are setup to automatically log me in. I would never ever do this with Chrome, as their security to my mind is too open, plus all the telemetry they take from you. At least with Firefox you can switch off Google altogether and choose a different more private search engine. I use Duck Duck Go, they have gotten bigger and better over the years and they don’t take anything or spy on you.
I am not convinced that two pass authentication is the solution…using the methods that are currently available. I don’t like the fact that normally double authentication means you need to supply your mobile phone number and then you have no control over where it has been saved and who has access to it. Sometimes for various reasons I am more or less forced to use Google. My cookies get deleted automatically so the first thing Google does is to tell me to check my mobile and convince them that it really is “me”… sooner or later they will probably start collecting ID pictures and will insist that I allow them to to use my mobile so that they can use the camera to compare. I am convinced that in the not too far future user identification will play a much larger part in our lives and that personal privacy will slowly be whittled away.