← Back to context

Comment by pylotlight

6 months ago

I would hate to be labeled 'stupid' everytime I don't want to type some 30 dumb characters everytime I login. How about no?

3 comments

pylotlight

Reply
tharkun__  6 months ago

Different difference ;)

I also don't want to type 30 chars, when 15 _properly randomly chosen_ characters would suffice but the "stupid people" chose those 15 characters as "passwordP@55w0rd" and now everyone requires us to write 30 instead because it's "so much more secure" when they write "passwordP@55w0rdpasswordP@55w0rd"

  • xp84  6 months ago

    You're all missing the point.

    There are different attack vectors. Yes, 15 random chars is sufficient if random, but recalling and typing 15 truly random characters is a big challenge for most everyone.

    You shouldn't be having to remember and type your password for Hacker News, for Gmail, or your bank, ever, not even one time.

    By making them 30 characters, you're ensuring one of two things:

    A. Users at least use a passphrase such as "my dad liked to drink 6 packs of Miller Lite" which is brute-force-proof so, that's fine

    B. Users who aren't masochists use a password manager properly and never have to even see their password let alone type it.

    That's it, that's the whole endgame. By keeping passwords short enough to memorize and type, you're just enabling people to use P455w0rd. And if you think that only impacts stupid people, most people are stupid and many of them are in charge of keeping your data (and infrastructure, and government, etc) safe. You need them to be protected, to protect you.

    • tharkun__  6 months ago

      I don't think that is correct at all.

      Users are not "at least using a passphrase". They will do the simplest thing ever.

      What happened when people used the password "123" and we added "Must have at least 8 chars"? They make it "password".

      What happened when people used the password "password" and we added "Must have one upper case char"? They make it "Password" or "passworD".

      What happened when people used the password "Password" and we added "Must have one number"? They make it "Password1".

      What happened when people used the password "Password1" and we added "Must have one special char"? They make it "Password1!".

      Guess what happened when people used the password "Password1!" and we added "Must be 30 chars long"? They make it "Password901234567890123456789!".

      (or anything else stupidly easy based on whatever password they used to have anyway)

      As in, you are missing the point I'm making. You cannot solve a people education problem by adding more and more "stringent" requirements. You need to educate them. You need to make them understand why it matters. Only then might they actually care enough to use a proper passphrase like you suggested.

      In that sense I do agree with you that using a password manager is the best most people can do. I use one at work and it's a game changer. But I only use it, because it's provided by work and thus it's free for me. If they didn't provide it, guess what I would do too? If they have obnoxious rules, then I will thwart them any which way makes it easier for me. So my "change your password every 30 days and it can't be one of the last 8" password of course was my last password but it went up to <lastPassword>8 until I went to <lastPassword> again.