Password Complexity, Good or bad?
-
@BRRABill said:
@Dashrender said:
Yes, of course it is. but thisisalongpassword is way better than P@ssw0rd
I originally was questioning @scottalanmiller that
password
and
P@ssw0rdare the same to a computer.
Not arguing anything here. Agree with it all.
He was over simplifying it, sure. But both would be in a pre defined dictionary which would take seconds to crack so he does have that on his side.
-
http://howsecureismypassword.com/
Appears to be offline
-
-
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
-
@BRRABill said:
@Breffni-Potter said:
http://howsecureismypassword.com/
Appears to be offline
.NET
whoops
-
-
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
Is there a real difference? A meaningful difference?
-
-
@Dashrender said:
Is there a real difference? A meaningful difference?
Yes.
I plan to live between those two numbers, so I need the stronger password.
-
@BRRABill said:
@Dashrender said:
Is there a real difference? A meaningful difference?
Yes.
I plan to live between those two numbers, so I need the stronger password.
Just change it at least once between now and then and you should be fine.
-
@Dashrender said:
Is there a real difference? A meaningful difference?
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords. (Say 12 or less.) Why totally take them out of the equation? Especially at the beginning or end of the passphrase? Or on sites that don't allow longer passwords for whatever reason.
-
@Dashrender said:
Just change it at least once between now and then and you should be fine.
I was planning to just add another @ sign but apparently that is a no-no.
-
@BRRABill said:
@Dashrender said:
Is there a real difference? A meaningful difference?
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords. (Say 12 or less.) Why totally take them out of the equation? Especially at the beginning or end of the passphrase? Or on sites that don't allow longer passwords for whatever reason.
No one ever said take them out.. just that they aren't a requirement.
the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.
-
@Dashrender said:
No one ever said take them out.. just that they aren't a requirement.
the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.
Got it.
I'm glad you and I had this little discussion!
-
@JaredBusch said:
12+ Characters, complexity not needed. 180+ day password cycle.
2FA is always nice, but I would never expect to get it going in a standard office environment.
why would you never expect to get it going in an office?
It's been a straightforward implementation process in all of my last 3 companies. -
@larsen161
I won't speak for JB, but for me - it's all around cost. -
@Dashrender said:
@larsen161
I won't speak for JB, but for me - it's all around cost.But you can do that for free.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
Is there a real difference? A meaningful difference?
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords. (Say 12 or less.) Why totally take them out of the equation? Especially at the beginning or end of the passphrase? Or on sites that don't allow longer passwords for whatever reason.
No one ever said take them out.. just that they aren't a requirement.
the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.
Exactly, don't block people from using them, that's totally different. You want people making long, hard, but easy for them to remember passphrases. Anything that undermines that undermines your security. So the goal is to provide more options and encouragement towards security, not introducing artificial constraints that add effort and frustration because those things work against security.
-
@Dashrender said:
you can suggest that they put in caps, numbers, special characters.. but not required.
I don't even know if I would do that. If those things happen naturally, great, but they literally do nothing for security, so encouraging them for their own sake is bad, even if it is just a gentle nudge. What you want most is non-repeating, long, easy to remember passphrases. Anything that doesn't encourage that isn't useful.
-
@BRRABill said:
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.
They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.
