Concerning password character limits
|
Hello, |
|
Please dont. |
|
Totally agree. The inability to use a special character is pretty archaic not to mention insecure. |
|
Actual best practices for password requirements are to allow any characters but not require anything in particular except to enforce a minimum length of at least 10 |
|
Josh Janes wrote:Totally agree. The inability to use a special character is pretty archaic not to mention insecure.Arguably a password created using the first letter of each word of a 20 word pass-phrase can be much more secure than an 8 alpha-numeric character password that contains a single special character. In any case the use of special characters should be allowed but not required. |
|
You guys are incorrect. Length is the number one determining factor for password strength. Special charachter requirements often prevent people from memorizing long passwords or pass phrases. Letters, numbers and long passwords are what is needed. Not against special chars, just against requiring them. |
|
Rick Blair wrote:You guys are incorrect. Length is the number one determining factor for password strength. Special charachter requirements often prevent people from memorizing long passwords or pass phrases. Letters, numbers and long passwords are what is needed. Not against special chars, just against requiring them.That's what two of us already said. |
|
jkw wrote: That's what two of us already said.It's Mountain Project, we need at least 12 people to say the same thing worded differently. Seriously though, I started typing my response and got distracted by work, when I came back and hit "submit" I was down the list. |
|
Rick Blair wrote: It's Mountain Project, we need at least 12 people to say the same thing worded differently. Seriously though, I started typing my response and got distracted by work, when I came back and hit "submit" I was down the list.It's all good. Sorry if I sounded like a wanker. When it comes to this stuff it's probably good to have lots of people say the same thing, as it seems like very few people get it. |
|
jkw wrote: It's all good. Sorry if I sounded like a wanker. When it comes to this stuff it's probably good to have lots of people say the same thing, as it seems like very few people get it.And it looks like we posted at about the same time. Looking at some of the active threads on MP at the moment, this one has a good chance of devolving into a debate about pre-hung draws on a sport route and the nuances between redpoint and pinkpoint as well. Now how we get there from here is open to conjecture. |
|
Marc801 wrote: And it looks like we posted at about the same time. Looking at some of the active threads on MP at the moment, this one has a good chance of devolving into a debate about pre-hung draws on a sport route and the nuances between redpoint and pinkpoint as well. Now how we get there from here is open to conjecture.Does the send count if I go to tick my route on MP while at the anchors and it takes me two tries to log in because my password was too complicated to type while pumped? |
|
The sign up and login are also done in the clear - not over TLS. So, if you are using a laptop on an open network (or a larger network like Panera), your password is being sent in plain text as well. The passwords appear to be plain MD5 and are stored and sent via cookies. |
|
jkw wrote:Actual best practices for password requirements are to allow any characters but not require anything in particular except to enforce a minimum length of at least 10THIS. Most password requirements that sites implement makes remembering the password difficult and thus it is more likely to be written down and in secure. Pass-phrases are far better. I think THIS summarises it quite nicely. Passwords, xkcd For those who aren't mathematically inclined, consider that EVERY 3mx3m square on earth has now been given a unique three word designator. All 5,700,000 MILLION places on earth. The ranger's office in camp for example is "several.amended.crispy". |
|
And its.... mountain project. Your important passwords will have special characters. What are you worried about? Someone posting dumb shit on forums in your name? That job is already taken care of. |
|
patto wrote: THIS. Most password requirements that sites implement makes remembering the password difficult and thus it is more likely to be written down and in secure. I think THIS summarises it quite nicely.Again, nobody suggested that special characters should be required. |
|
Unfortunately that xkcd advice doesn't quite work as well as it once did. Read this if you want more: |
|
Cruxic wrote:Hello, I recently tried to change my mountain-project password but was given this error: "Your password must be between 6-20 characters using only letters and numbers." This alpha-numeric limitation goes against the modern best-practices that passwords should contain special characters. Such passwords are stronger. It also raises a deeper concern: this limitation could indicate that passwords are being stored as plain-text in the database, as opposed to the industry-standard salted hash . Lifting this restriction might be a simple as changing a regex somewhere. If the problem is deeper I'm willing to volunteer and help fix it (I'm a professional software developer by day). Thanks for creating an awesome place to share our love of the mountains!For this type of thing, a risk based approach is appropriate. If someone steals your mountain project password, what's the worst thing that can happen? Somebody messes with your ticklist or ruffles a few feathers on the board? L O L |
|
Why does the effort it takes to brute force your password matter at all when it is being sent in cleartext? |
|
|
|
Marc801 wrote:Unfortunately that xkcd advice doesn't quite work as well as it once did. Read this if you want more: schneier.com/blog/archives/… And that is 2 years old at this point. I suspect even that advice is a little dates.Have a read of the comments. Start using using many multiple random words and you quickly bring up the 'entropy'. But more to the point this is a forum not a bank. Regardless, any any online password routine shouldn't allow high speed password guessing. For more important things it should lock you out. As far as I'm concerned my forum accounts are insecure to a hacker. Do I care? |
|
patto wrote:As far as I'm concerned my forum accounts are insecure to a hacker. Do I care?If someone started posting child porn or death threats toward public or political figures under your name/account, I think you might care a bit. |