Password Policy

mcebis · 2016-12-19 01:02:52 UTC

A bit of feedback. A 10 character password is excessive. It causes someone to try and choose something they can remember. The forum is not a paying site and you don’t have my credit card details to save. I recommend relaxing this.

doug · 2016-12-19 01:15:48 UTC

I agree. Most sites will accept passwords of 7+ character length.

carl · 2016-12-19 01:56:28 UTC

I disagree

https://blog.codinghorror.com/your-password-is-too-damn-short/

larry · 2016-12-19 02:09:09 UTC

Check out LastPass or some similar password vault. I probably have a twenty character completely unguessable password to this site, and I have no idea what it is.

devhammer · 2016-12-19 02:09:19 UTC

+1 to Carl here.

If you are relying on remembering passwords as a general rule, you are on the road to failure unless you have a fantastic memory, or only use a VERY few sites on the internet.

Otherwise, you may be in the habit of reusing passwords, or making your passwords easy to remember, both of which are habits that are extremely risky. A 7-character password can be broken in very little time, with trivial effort.

And while you may not be worried about your credit card info, since the site doesn’t have it, that’s not the thing you should be worried about. Today’s cyber-crooks are more sophisticated, and use attacks on multiple parts of your online life to chain enough information together to convince someone at your bank, or other more important places, that they are you. Gaining access to your info on the forum could be one piece they need to start that attack.

I strongly recommend considering the use of a password manager. I personally use LastPass. There are many others (enpass, 1pass, etc.) so find one that meets your needs and use it.

If you aren’t going to use a password manager, consider the use of passphrases, a series of words that are meaningful to you, but wouldn’t make sense in a sentence. That can easily get you a long-enough password for the site, and make it memorable to boot.

carl · 2016-12-19 02:31:12 UTC

What he said.

doug · 2016-12-19 02:35:37 UTC

I use LastPass too (which is great and free) on my desktop. But what do you guys use on your mobile devices? Last time I looked at LastPass for iPhone it cost money and didn’t integrate with the OS.

larry · 2016-12-19 02:38:58 UTC

I use Last Pass on my phone too. I do pay the $12 a year fee although I thought that just added the synchronization between devices.

devhammer · 2016-12-19 02:44:01 UTC

Can’t speak for iPhone, as I don’t use it, but IIRC, LastPass recently announced they were making the mobile app syncing free.

I use the LastPass app on an Android phone, and it does have integrated fill-ins, and also works with the fingerprint reader on the phone. Extremely convenient, and the app was free.

Yes, there are trade-offs to using the integrations, but compared to trying to remember logins to all the sites/apps I use, it’s a good trade-off for me.

One other important note for anyone following this thread. For any site that gives you the option of using two-factor authentication, I strongly recommend turning that on. That’s one more hurdle between an attacker and your personal information and accounts. I sleep easier knowing that the accounts that matter to me have that extra layer of security.

Polly · 2016-12-19 02:44:16 UTC

I use Dashlane to track all of my passwords. It syncs across devices and logs me in automatically, so I never have to remember a password. Having a 10 character password is no problem.

devhammer · 2016-12-19 02:44:42 UTC

Unless you need the additional features that Premium offers, you should be able to sync on devices now for free. See the link I just posted in reply to Doug.

doug · 2016-12-19 02:46:46 UTC

Thanks. I will check out LastPass again.

richard · 2016-12-19 05:48:08 UTC

I pay for 1Password and it works on all my devices and sync via an encrypted data file via dropbox

carolT · 2016-12-19 15:52:42 UTC

What do you do with these apps if you are on a third party from time to time computer?

larry · 2016-12-19 16:15:49 UTC

I work on lots of different computers. If I have my own account, I install LastPass in the browser. If I don’t, I just take out my phone and look up the name and password on the LastPass app (it is a hassle copying the password since they are non-mnemonic).

cindyshocklee · 2016-12-19 16:24:59 UTC

And is there a chance that something like LastPass could be hacked?

devhammer · 2016-12-19 16:31:07 UTC

There is, and it already has been.

BUT (and this is a big but) given the way LastPass stores data (or doesn’t, as the case may be), it’s very difficult for an attacker to get your passwords from LastPass.

The truth is that using a password manager is a tradeoff. Personally, I think there are significant risks to trying to manage passwords on my own (password re-use, overly simple passwords, etc.) that are worse than the risks of using a password manager.

Using 2-factor authentication (as I suggested earlier) can reduce the risk, because even if someone did manage to get your master password, they would not be able to successfully authenticate without having the device you use for 2FA.

cindyshocklee · 2016-12-19 16:46:29 UTC

Well, that still sounds much safer than the way I am doing it now. I will have to look into this. Thanks for responding.

larry · 2016-12-19 16:53:02 UTC

Last Pass stores your “vault” locally (on your device) and encrypted. The company itself does not maintain a copy of your “master” password and cannot retrieve the contents of your vault if you forget the password. They themselves have been hacked in the past but no vaults (user password data) is said to have been compromised.

Of course, you better not forget your master password!

ryancrawcour · 2016-12-20 21:25:05 UTC

I disagree. Strong passwords are always always always a good idea. Just use a password manager (most browsers have great plugin / extensions for this) and then you don’t have to worry about complex passwords.