What is the purpose of a maximum password length? I’ve been on websites which do not allow passwords longer than 12, 14, 16 characters, etc. On other hand, I have at least one account that allows up to 64-character passwords.
It helps identify sites with questionable security practices. As does a rule excluding certain punctuation characters.
A site that correctly hashes passwords has no reason to set a short limit on length or prohibit common characters.
They should be storing hashes of passwords, not full passwords, so there should be no space gains.
You do want to have at least some limit to length, to protect against memory issues, but allowing users 40-100 characters should always be reasonable.
So - most sites, including this one I think, allow a forgetful user to recover their password. All I have to do is to give my email address and they automatically send it to me. I have done this with ebay on several occasions.
If a criminal hacks my email (surely not all that difficult?) they can the easily get any passwords they want. The only exceptions that I know of for certain are my bank and my credit card company.
We have to change passwords at work every 60 calendar days. The password history is 24 iterations. The standard rule is a minimum 12 characters (some require 32 characters!); it must include at at least one upper-case letter, at least one number, and one special character (from a list).
I have about a dozen accounts to to change. I record everything in a KeePass Password Safe on an encrypted flash drive.
If you’re remembering that Ebay sent your old password to you in email, I think you’re mistaken. That would mean they’re storing passwords in the clear, which is negligent and doomed to disaster. There are sites that do, but they’re not high value targets like Ebay (and it’s only a matter of time before they change or die).
You are correct that if someone hacks your email account, you’re screwed. This is why you need strong passwords that are unique and never reused across sites. If you think your email account is an easy target, change your password now. And enable 2-step authentication.
Hello All,
Fascinating discussion re Password strength/length/practicability.
A couple of points, one previously mentioned, come to mind.
Password character sets and string lengths are frequently limited in/on(?), financial sites
I think some Banks want the economy of on-line banking combined with the implicit dismissal of on-line fraud excused with ‘your password was insecure’, this combined with say an eight symbol limit seems to leave certain companies with a get out excuse.
To whit:
1 We want to encourage on-line Banking, it’s cheaper for us.
2.We want to make it as accessible as possible to our Customers, ie better deposit rates, and boy I’m after every 0.15%
3. You, the Customer, are not only responsible for your own mistakes but ours as well.
4.We will limit the strength of any password you can apply, see #3
5.We will only admit to Database loss when forced.
5a. We will prevaricate, dissemble, lie hold ‘urgent discussions’, discuss ‘Blue Sky’ solutions (my favorite meaningless statement) and when finally all current members of the Board have bailed out with nice fat Lemonade, Bribes or Pensions admit defeat.
6.Pay for all of the above via a workers Pension Scheme.
Peter
To be clear, I did not mean to suggest that an attacker would receive feedback on a partial-match password. What I meant is that any attack vector which will try “thisisreallyquitealong” will also try “thisisreallyquitealongpassword”.
There probably isn’t any single technique that “most users” use. Any attacker is going to go after the low-hanging fruit first: The people who use “123”, or “password”, or their username or the name of the site. And there are a fair number of those. But they’re not going to stop there. After they finish those, they’re going to move on to trying their dictionary, and trying their dictionary with l33t substitutions, and trying short concatenations from their dictionary, and trying long but meaningful concatenations, and every other pattern they can think of.
If you use the firefox browser, there is an available add-on called PassLikeW8 that does this. It adds a little eye symbol to password fields; if you click on the symbol the *****'s in the field change to the actual text.
I’m sure Sage Rat is correct regarding 21st century but …
[boring historical note]
There was a way to crack passwords on Vax/VMS based on “cut-off pieces of paper.” The VMS password software checked character by character. Place an ‘A’ in the very last byte of your address space, point to it, invoke the password checker. If you get “Wrong password” you know the ‘A’ is wrong; otherwise you get “Address violation.”
Iterate up to 26 times and you have the first letter, say ‘S’. Now place ‘SA’ in the last two bytes, iterate up to 26 times to get the second letter of the password, and so on.
[/boring]
The security questions for password recovery, like “What city was your high school in?” are ridiculously easy to look up. My brother answers all these with a code word, like for his Mastercard, the answer to every challenge question might be “fish.”
One problem with the forced digits is that almost everyone, when forced to add digits, adds their age or birth year. If someone is trying to crack a particular persons password, you can look up this info. If you are cracking batches, you can go with common numbers for the sites demographic.
My first pet’s name was lg0pDMSMkJmCHM6K.
Not necesarily. I doubt there are procedurally generated dictionary attacks which map out trillions of 4-10 word sentences. Perhaps there are lists of millions or billions of common phrases, but I’m not even sure that would be among them. Certainly you would increase the security of such a password by simply changing it to thisisreally%quitealongpassword - but a 30+ character sentence falling victim to a dictionary attack seems unlikely.
If you have access to the hash files - the way the passwords are stored - you can use some GPUs to run millions of hashes per second against the content of that file and end up with some matches by literally trying every possible permutation of a certain number of characters.
Every time you add a character to the password length, you increase the possible permutations by however many different characters you can use in your password. Simplistically, if you could use only 0-9 and lowercase letters, a 3 digit password only has 46656 possible permutations, which is rather trivial to crack. But a 30 digit password with the same 36 characters would have roughly 1.5e+53 permutations.
Using such brute force methods, My$C@t3 is a relatively insecure password, but “buttfrogsfrankenstein” is very secure.
This is true only if every possible added character is equally likely.
Actually it is 62^n vs 52^n considering most passwords accept capital and lowercase letters.