Maximum password length

How many characters can my SDMB password be? I changed it recently, because of the Announcement, and I got curious.

It looks to me like 13 is the maximum number of characters. Newer versions of vBulletin allow at least 22 characters.

Can we use numbers or punctuation marks in our passwords, or are we restricted to just letters?

At least some punctuation marks are allowed. You’re probably safe with anything on the number keys.

I don’t know about spaces, line breaks, etc., but you can use almost any character in the character set, including punctuation. So é,ô;ç2ÐÖ is a valid password. I know because I chose my password characters at random during the recent change, and it’s just mumbo-jumbo along those lines. Furthermore, passwords are case-sensitive, so ABCD is different from abcd (either one is probably a bad choice). Single words found in a dictionary are also a bad choice, such as password

I was thinking of using a telephone number that only I and a select few would know.

jab, I’m hardly in expert in computer security, but I’d suggest that a phone number, no matter what it is, is a bad choice for a password. There are either 7 or 10 digits, which gives us either 49 (7[sup]2[/sup]) or 100 (10[sup]2[/sup]) combinations. That’s just not very many…

When selecting a password, it’s not the original source that’s important – it’s the end format. I’m sure there are plenty of sites out there that talk about this, but I’m going to let someone else find them.

Okay, I’ll stick with what I have.

Here is a very good page from MIT about how to choose a good password named, appropriately, How to Choose a Good Password. It says to use passwords like these:
[ul]
[li]3laR2s2uaPA$$WDS!'' for Three-letter acronyms are too short to use as passwords!’’[/li][li]IwadaSn,atCwt2bmP,btc't.'' for It was a dark and stormy night, and the crackers were trying to break my password, but they couldn’t.’’[/li][li]HmPwaCciaCccP?'' for How many passwords would a cracker crack if a cracker could crack passwords?’’[/li][/ul]
(That is the method I use, incidentally.)
It says never to use words, ever. Even if you don’t think any dictionary would have them, remember this: Specialized dictionaries are online now, open to everyone. The most oblique Anime reference, the most obscure movie quote, can be guessed by someone who has social-engineered you well enough. And social-engineering, not brute-force attacks, is the method of choice (among the non-idiots, anyway).

Here’s a program to generate passwords I found at http://www.download.com.

Quicky Password Generator
(http://download.cnet.com/downloads/0-10105-100-1560555.html?tag=st.dl.10001-103-1.lst-7-2.1560555)

I have not tried it, but it sounds like exactly what you need.

The price is right too. :slight_smile:

For best results here, try to keep it under 12 characters, use a mixture of letters and numbers, etc.

your humble TubaDiva
Administrator

It’s not quite that bad. There are 10 choices for each of the seven digits (leaving aside a few unused combinations like 555-XXXX), so there are about 10[sup]7[/sup] possible permutations of a seven digit phone number, and 10[sup]10[/sup] possible permutations of a ten digit phone number.

That said, phone numbers are easy to social-engineer (relatively speaking).

Some of the fields are different lengths. This is a problem at many sites. It’s better to be conservative (i.e., near the minimum length) or you find yourself locked out of some page or other.

I would caution against experimenting around with nonalphanumerics for your password on this board, or, presumably, anything with vBulletin. I changed my password to:


;'[]\:"{}|

Big mistake! I couldn’t change it back. One of these characters, and maybe more than one, is a whammy. I think it’s probably the backslash. Thanks again, TubaDiva, for fixing me up. However, I must say that I did try all of the following characters with no ill effects before hitting on the undesirable sequence up there:


`~!@#$%^&*(),./<>?

One password trick that I like to do is this: rely on keyboard geometry to generate something, like zse456yhn. Also, if you touch-type, you can move your fingers off the F and J key and type something in, like W54q8ty5E903, which is StraightDope, but shifted up one key. These results look pretty cryptic, but they may not be all that secure to crackers. If so, I hope somebody says so.

Achernar:
Your methods would be pretty safe against a brute-force attack, with dictionary words, or perhaps alphanumeric sequences, chosen from a list, but the method most serious crackers use is social engineering. Social engineering is simply the cracker doing things like posing as a technical support agent and asking you for your password, or asking questions that would reveal common passwords. (Hey, Achernar, what’s your mother’s maiden name? How about your social security number? etc.) Social engineering exploits insecurities in the people using the software, rather than insecurities in the software itself. That is why you should never write your password down, for example, or give it out. My link above has good advice.