Comment by tharkun__
6 months ago
Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)
I would hate to be labeled 'stupid' everytime I don't want to type some 30 dumb characters everytime I login. How about no?
Different difference ;)
I also don't want to type 30 chars, when 15 _properly randomly chosen_ characters would suffice but the "stupid people" chose those 15 characters as "passwordP@55w0rd" and now everyone requires us to write 30 instead because it's "so much more secure" when they write "passwordP@55w0rdpasswordP@55w0rd"
You're all missing the point.
There are different attack vectors. Yes, 15 random chars is sufficient if random, but recalling and typing 15 truly random characters is a big challenge for most everyone.
You shouldn't be having to remember and type your password for Hacker News, for Gmail, or your bank, ever, not even one time.
By making them 30 characters, you're ensuring one of two things:
A. Users at least use a passphrase such as "my dad liked to drink 6 packs of Miller Lite" which is brute-force-proof so, that's fine
B. Users who aren't masochists use a password manager properly and never have to even see their password let alone type it.
That's it, that's the whole endgame. By keeping passwords short enough to memorize and type, you're just enabling people to use P455w0rd. And if you think that only impacts stupid people, most people are stupid and many of them are in charge of keeping your data (and infrastructure, and government, etc) safe. You need them to be protected, to protect you.
1 reply →