Salta al contenuto principale

I'm tired of web sites inflicting known-bad rules on passwords. Like what characters are required, or minimum length.

pages.nist.gov/800-63-4/sp800-…
schneier.com/blog/archives/202…
tuta.com/blog/minimum-password…

TL;DR: don't require specific classes of characters, require at least 15 characters.

I'd go for a minimum length of at least 16, myself. Brute force guessing is a thing and is dealt with by using longer passwords.

Any web site that doesn't follow these is just security incompetent.

#rant #passwords


2024 NIST rules on minimum password length: Aim for 16 characters or more! | Tuta

With the rise of quantum computers, passwords need to be longer - and more complex. These tips help you secure your online accounts.
Tuta
#rant #passwords

reshared this

in reply to Lars Wirzenius

Royce Williams
Royce Williams

Agree almost entirely (that password composition rules are outdated, and NIST agrees).

Though if you're talking about password attacks that are true brute force (nothing known about the password at all, word list and other attacks exhausted, so falling back to trying every single possible character) ... the math of 16 characters may be bigger than intuitive.

To give you an idea, let's start with 13 characters. Assuming the full printable ASCII character space, and an astronomical hash rate like a trillion hashes per second, it would take 1.6 million years to truly bruteforce 13 characters:

wolframalpha.com/input?i=%2895…

So bruteforcing 16 random characters would be 95 * 95 * 95 of 1.6 million years. Which is probably overkill. 😉

Of course, if we're not talking about passwords based on randomly generated individual characters, but instead about passphrases, this math shifts. But the math is always the number of possibilities to the power of how many of them were chosen. For passphrases, this is (size of dictionary to the power of the number of words). So five words from a 20,000 word dictionary would take a modest 100 years to guarantee a crack (fully exhaust), with an average time to crack of 50 years.

wolframalpha.com/input?i=%2820…

So the password would be dramatically longer than 15 characters, and quite a bit less strong, but still suitable for many use cases. (But if it was stored with a fast hash like MD5, it would only take six 4090s to hit that hash rate! So with all the GPU compute likely available to private attackers, probably not enough if you are a high value target)

Hopefully, those reading along can see why simple composition rules (that you are correctly railing against) wouldn't map as well to a passphrase.

(People may also have questions about quantum photography. My awareness is weaker here, but my understanding is that relatively modest strengthening of password strength is enough to compensate, and wouldn't make an appreciable dent in the astronomical time scales described above.)

Questa voce è stata modificata (2 settimane fa)

Lars Wirzenius reshared this.

in reply to Lars Wirzenius

Nyx Raccoon
Nyx Raccoon
maximum password length, like excuse me?
in reply to Nyx Raccoon

Lars Wirzenius
Lars Wirzenius
@nyxraccoon I'm not sure what you're asking. If there is no limit on the length on passwords, the site will be fed terabytes of data as passwords. That's pointless.
@Nyx Raccoon
in reply to Lars Wirzenius

Nyx Raccoon
Nyx Raccoon
well its not a rare occurence to hit sites with password between 8 and 12/16. That's enraging especially when it (more often that it should) go with no 2fa options for applications where you will have to log without being able to autofill with a password manager (like any social service terminals, where your password to the terminals are the same as the web one)
in reply to Nyx Raccoon

Lars Wirzenius
Lars Wirzenius
@nyxraccoon I am not defending tiny maximum lengths. I'm sorry if something I said gave that impression.
@Nyx Raccoon
in reply to Lars Wirzenius

Richard Levitte
Richard Levitte
My pet peeve for the moment is password prompts that refuse passwords with spaces in them.
in reply to Lars Wirzenius

arosano 🇩🇰 🇮🇱
arosano 🇩🇰 🇮🇱
Couldn't agree more. I have no passwords shorter than 24 characters. My encrypted hd, 36 chars ;)
in reply to Lars Wirzenius

der.hans
der.hans

my favorites are the sites that require short passwords, but allow long usernames

"Sorry bejhodBed|OnmyivwautatVekDoQuavTakyilryg!SluffEm, passwords must be no longer than 12 characters.[0]"

[0] which implies "Please use another company because our security is insufficient."

FLOX Advocate reshared this.

in reply to der.hans

Lars Wirzenius
Lars Wirzenius
@lufthans I entirely agree that if a company gets password requirements so badly wrong, they're likely to get many other aspects of security wrong.
@der.hans
in reply to Lars Wirzenius

Elena ``of Valhalla''
Elena ``of Valhalla''

@Lars Wirzenius or even worse, when public sector regulations enforce obsolete and harmful rules, and even when the people running the services know what they should do, they are forced to do the wrong thing.

#rant #rantRantRant

#rant #rantRantRant @Lars Wirzenius

Lars Wirzenius reshared this.

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.