There are many sites that have password format or size restrictions or both so it is not a surprise that we also have the same here (I believe for the sake of …Security).
What troubles me here is that every website thinks that either we have very good memory or we use some sort of password keeper for ourselves.
What makes you think that a 10 character long password is good and less than 10 is bad.
Our community website is no different. It wont allow me to reset my password containing…
1 Capital Letter / alphabet
1 Special Character
1 number
6 normal characters
and all it shows is “Your Password is too short”.
I know this is your choice to go with the minimum of 10 or 8 or something else, but it irritates me.
I believe that websites try to make their users keep strong password for user’s own sake but at what cost to user.
Many good websites were hacked and user database was stolen. So, a password needs to be safe from both sides so why the burden of remembering a long and complex password is put on a user.
Just like all legal disclaimer, Policies and agreements, why can’t onus of choosing a password be put on user. Let me choose my password and let me be responsible for it.
A simple password is easy to remember and relate whereas complex passwords needs to be stored somewhere for sure be it be paper or electronic form and then the hackers come into scene.
All above is a rant and I know it. I am frustrated by people governing my passwords when it is me who needs to remember them.
This is a perfectly valid request and I fully understand that, honestly. The problem is, people nowadays do not feel responsible for anything anymore. This is why we have insurance, etc. Of course, this is not the case with everyone, especially not on this forum, I hope, where we have a lot of great old school people, who still know what LIFE means, without having received an iPhone 11 when they were 12 years old.
That said, the reason for such validations are that the cost for the user on average is much lower than what would happen when there were no restriction on average.
See, I emphasize the words on average because to you it seems like a big cost, but to most users combined, it is a (very) low cost. So in this case, I guess the majority wins, even if a minority has to suffer from the consequences.
P.S.: A hacked forum account might not be an issue too big for the user. However, if a high level account is hacked, the forum can suffer huge spam situations. So this is another reason why it is really NOT good for the forum itself, if accounts get hacked. It’s not only about the user losing access to their account.
I understand your view point and the risks involved.
What I am trying to say is specifically about the user password of itsFOSS community website and not any of the high level accounts.
I really don’t understand the difference in making it compulsory instead of voluntary to have a 10 character password or 8 character password . Maybe websites can take a leaf out of @Pac2m43 book / post and make 18 characters a minimal and then raise it every year (by whatever increments they like. I assume 32+ won’t be a limit either) to safeguard the average.
Also, My emphasis was on the freedom of choice which got lost somewhere in my rant earlier.
I left Microsoft Windows because I had the freedom to do so.
I chose Linux because I had the freedom to do so.
Now just think if someone had the authority to select which OS is good for me based upon Majority or average then would I have ever been able to learn and embrace Linux instead of Microsoft Windows? (for this you may go back a few years).
This is a Discourse install and by default, Discourse uses a 15 character password limit.
Some user requested it to be reduced to 10 and hence the password limit is set to 10 characters.
Now coming to your question: what is a good password length?
There is no clear answer. Even if the forum is hacked and the database leaked, the passwords are hashed. Of course, that can be broken as well and this is where password length matters. Cracking a lengthy password will take more computing power and time.
Actually, what I meant by “high level accounts” is already included right here, on the It’sFOSS forum. If someone hacked @abhishek’s account or mine, they could spam as much as they want or even change forum settings. So this would be already very harmful to the forum.
Thanks for sharing the information regarding Discourse default length limit. I also appreciate that you reduced it on user requests which I believe must be in Majority.
But my question is NOT “What is a good password length.”, rather it is “Why can’t I choose the length of my password”.
Simply put, I want to be less secure if that is my choice. Believe me that my password is indeed long and complex on my bank website as that is again my choice and I understand the risks.
Those who need more security are free to create 10+ character password and those who dont may need less.
This topic was just meant for feedback and not for anything else.
I still agree with you regarding your or Abhishek’s account security but nobody is stopping you guys from creating a 12 or 14 character Strong password. Those who need security and are aware of it may have a stronger and more complex password.
What I am insisting upon is the minimum password length limit.
If it is 10 then also you and Abhishek can have a 12 or 14+ character password and nobody is stopping you.
I am being stopped from having a less length password because someone thinks that below 10 is insecure. Many websites even allow 8 character as minimum.
If you look at these expert sources, you see that password length plays the biggest role in terms of security.
If you have a really long password (32 characters and more) then you do not even need that complicated and weird characters. So I hope this answers your questions as why there is a decision on a certain minimum length, which is absolutely not just arbitrairily chosen.
I have Firefox setup so every website I visit including this one gets opened like an app, nothing to do with Ice Apps though similar, it’s this one thing that keeps me coming back to the XFCE environment. When it comes to Passwords Firefox has them locked away for me to automatically go to the website of choice and automatically logged in. Here is a look at my desktop, across the top are my website links from the left on wards.
To set these up you have to go to every website login and copy and paste the URL then find a suitable icon for the app. With ice apps it’s a private window, but this which I’m demonstrating opens instantly, rather than waiting for a default browser window to open. Also it saves clogging up the browser with shortcuts or tabs. I’ve always setup my Linux like this. Passwords are important to not be so easy as a lot of people make the mistake of using 1234 as their password. Firefox has a password maker inbuilt, with over forty odd characters though don’t quote me on that, it just looked a lot when Firefox asked if I would consider using one of their made up ones. So all of my websites on here and all my other computers are setup to automatically log me in. I would never ever do this with Chrome, as their security to my mind is too open, plus all the telemetry they take from you. At least with Firefox you can switch off Google altogether and choose a different more private search engine. I use Duck Duck Go, they have gotten bigger and better over the years and they don’t take anything or spy on you.
I am not convinced that two pass authentication is the solution…using the methods that are currently available. I don’t like the fact that normally double authentication means you need to supply your mobile phone number and then you have no control over where it has been saved and who has access to it. Sometimes for various reasons I am more or less forced to use Google. My cookies get deleted automatically so the first thing Google does is to tell me to check my mobile and convince them that it really is “me”… sooner or later they will probably start collecting ID pictures and will insist that I allow them to to use my mobile so that they can use the camera to compare. I am convinced that in the not too far future user identification will play a much larger part in our lives and that personal privacy will slowly be whittled away.
Actually, there are tons of SIM-swapping cases, that prove indubitably, that providing your phone number to your account data, makes your account less secure.
