HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Many Password Strength Meters Are Downright Weak
- Thread starter HardOCP News
- Start date
I don't care if they're good or not, I just wish more places would tell me what they are looking for.
How does using capital letters and special characters affect the score? Do I get dinged for using real words?
I was told over and over by my university that my password was rejected, but it never said why. When I finally went to the IT help desk they were able to look into it. It turns out that the password policy had changed recently so "UTexaspassword5" (not my real password or university) wasn't allowed because it had "UTexas" in it, even though my previous passwords had been "UTexaspassword1", "UTexaspassword2", etc.
Just tell me what's allowed and not so I can make a barely strong enough password for all the accounts I must have but rarely care about.
How does using capital letters and special characters affect the score? Do I get dinged for using real words?
I was told over and over by my university that my password was rejected, but it never said why. When I finally went to the IT help desk they were able to look into it. It turns out that the password policy had changed recently so "UTexaspassword5" (not my real password or university) wasn't allowed because it had "UTexas" in it, even though my previous passwords had been "UTexaspassword1", "UTexaspassword2", etc.
Just tell me what's allowed and not so I can make a barely strong enough password for all the accounts I must have but rarely care about.
Ashbringer
Supreme [H]ardness
- Joined
- Jan 25, 2010
- Messages
- 5,522
I don't care what they thing I need in my password, because nobody is ever going to guess it. Not before being locked out and requiring me to contact someone to unlock it. When I need to change my password is when a website gets hacked like Twitch did. Which Twitch most likely was hacked due to not having their servers patched.
Too much obsession over passwords that are never the issue.
Too much obsession over passwords that are never the issue.
MrCaffeineX
[H]ard|Gawd
- Joined
- Aug 22, 2011
- Messages
- 1,604
I second this!
I hate that some websites do not tell you what the requirements are until after you have entered your potential password twice, only to have it reject it because it is not allowed to have a special character or something random like that, then wipes out all of the form data that you already filled in so you get to start the whole process all over again...
Interesting timing on this coming up as I had to reset my Verizon password today and it got rejected. The reason? It claimed my 25 character password was easily guessed because it has real words in it....yea a 25 character string of words is totally less safe then the 8 character garbage they made me use.
This continues to be the problem with the password. It isn't the password that is the problem, it is that too many admins don't understand what a real password is and have completely stupid rules. We have for far to many years taught people the wrong damn thing. The most secure password is not a password but a phrase. This is something that is easily remembered by humans even if it is 20+ characters, doesn't need to be written down because it is easily remembered and is impossible to crack due to the sheer number of characters.
This continues to be the problem with the password. It isn't the password that is the problem, it is that too many admins don't understand what a real password is and have completely stupid rules. We have for far to many years taught people the wrong damn thing. The most secure password is not a password but a phrase. This is something that is easily remembered by humans even if it is 20+ characters, doesn't need to be written down because it is easily remembered and is impossible to crack due to the sheer number of characters.It's not really about the passwords, it's about liability. If they let you have a easily guessable password and someone guesses it, you could sue them.
I'll add this because it's relevant to Dekoth-E-'s post as well as the new Twitch password strength BS meter.
Four Random words aren't bad but they aren't 2^44. They are 500^4. Since most people's vocabularies are 350 words and I'm tossing 150 memorable proper names as a gimme.
2^44 = 1.8 e+13
500^4 = 6.3e+10
Passwords are weak. Sooner or later, all password protection will be permanently broken and all data will be trivially accessible by anyone. The security industry is working on alternative identification methods, but I think they need to think about approaching the problem in a completely different way because they cannot win the twin battles against user stupidity and criminal deviousness.
One thing to keep in mind after hearing Steve Gibson talk about these meters, is that if you're going to Google "Password Strength Meter" do not enter your actual password in there. Use the same characters, length, and upper/lower case as you would but don't trust that they aren't going to honeypot tens of thousands of users doing this daily to try and find common trends if not adding it to a dictionary.
Eh...I just use keepass. I have no idea what 99% of my passwords are, but if the site doesn't restrict me to a small character set and short password length (which happens way too often), I typically have 32 characters...in some cases they allow control characters in the password.
The only PW that should be a phrase is your keepass password. Personally, I think a few random words is better than an actual phrase.
The only PW that should be a phrase is your keepass password. Personally, I think a few random words is better than an actual phrase.