• squid_slime@lemm.eeEnglish
    4·
    2 days ago

    I hate these arbitrary limitations of 16 characters, 25 is unbreakable and some sites won’t allow longer than 16 20, I’ve even had one site not allow over 6.

  • Rhynoplaz@lemmy.worldEnglish
    1431·
    4 days ago

    “Your selected password is already being used by SwiftyFan05. Please choose another password.”

  • cley_faye@lemmy.worldEnglish
    141·
    3 days ago

    64 characters picked at random in [a-zA-Z0-9_] is perfectly fine if password is your only option. Special character do not increase significantly the difficulty of bruteforcing it, but introduce the risk of having to manually type "}à.å÷Â!!ç-×ô@¸Á¢±ãÕß>>úÓ}¼º¤«<_`àÅû§Æ]*ÂñçÌÿ§à®&ܱ=Ú-´ð¹é$.>=;Ö if something goes catastrophically wrong.

    • 🦄🦄🦄@feddit.orgEnglish
      13·
      3 days ago

      Not being allowed to use special characters can be a sign of the website saving your password in plain text.

      • cley_faye@lemmy.worldEnglish
        1·
        21 hours ago

        It can be. Or it can be someone that had to deal with users (or was trained about it) and is limiting the chances of a user being kept out because they type something that looks like their password but isn’t, and then have to go to support.

    • groet@feddit.orgEnglish
      24·
      4 days ago

      Might be a minimum of 16 chars. Or the parsing is broken and treats the ’ as the end of the password

      • teletext@reddthat.comEnglish
        5·
        4 days ago

        Yeah, I’d consider anything less than 20 characters broken. Much too likely that it’s contained in a rainbow table, regardless how many special characters you use. Can I remember many 20 character passwords? No, but my password manager can.

        • CanadaPlus@lemmy.sdf.orgEnglish
          4·
          3 days ago

          That’s a big rainbow table. Like, with just precomputed values and random ascii character passwords it’s on the order of 1042 entries. You can shave that down a bit probably with all the tricks rainbow tables use, but I think you’re safe.

          • teletext@reddthat.comEnglish
            1·
            3 days ago

            Base85 contains just about every printable ASCII character, so I’ll use that as a base. 8516 ~= 1031 -> extremely huge, but still feasible at least for state actors. 8520 ~= 1039 -> if I read Wolfram Alpha’s comparison correctly, that is more information than is believed to be contained in the DNA of all living creatures combined. That’s why I’d recommend >= 20 characters.

            • CanadaPlus@lemmy.sdf.orgEnglish
              1·
              3 days ago

              1031 is ridiculously huge too. The NSA probably works on EB scales, which is “only” 1018 bytes. If you can get up to 1022 equally likely passwords you’re fine against dragnet, brute force-style attacks. (If you’re zombie Bin Laden and the NSA will stop for a whole year cracking your drive, and doesn’t have any shortcuts, maybe you need 1039 I guess)

              That being said, if more characters is no problem, go ahead and do that. I’m not saying more security for free is a bad thing.

        • Aganim@lemmy.worldEnglish
          5·
          3 days ago

          I let my password manager create 32 char passwords, that should be enough for a while. But of course then you have websites that throw you a ‘your password is too long’ message and have you find out by trial and error that they only accept 12 characters.

          Or the off-by-one errors where they insist that 24 chars are the max, but in reality they accept 23. Probably never tested the limit.

          Or websites that truncate your password after X characters when registering, but not when logging in, so you end up with an incorrect password and good luck finding out which limit the registration page actually uses.

  • Buffalox@lemmy.worldEnglish
    11·
    4 days ago

    It’s actually nice they have underscore. 😀
    Yes because if you choose 8 characters at random, with 25 small + 25 big letters and 10 numeric, it* only 60^8 = 167,961,600,000,000 combinations.
    I think the problem is more if the system allows brute force with thousands of erroneous attempts.
    Then statistically any hacker can attempt several accounts, and ultimately get lucky. But by all means, put the responsibility to the user, users are the experts right!?
    I never got the frantic excessive entropy mindset, when the problem is much simpler to not allow crackers endless attempts. You can allow 50 attempts, and chances would be very slim to guess even pretty moronic passwords.

    What’s even worse is when they REQUIRE big and small and numbers to maximize entropy, they actually make statistically FEWER attempts necessary to brute force it.
    A standard Microsoft introduced in the 90’s, and FUCKING almost everybody is using, despite it’s a 100% moronic requirement.
    Instead just warn against passwords that can be guessed by logic, or can be found in a dictionary.

    • stevedice@sh.itjust.worksEnglish
      11·
      4 days ago

      Most websites don’t allow multiple failed logins and, even if they did, the network latency alone would make brute force attacks useless. The point of having a high entropy password is to protect against hackers brute forcing a leaked database of hashes. Having different passwords for every website also protects against this so, as usual, the answer is “just use a password manager”.

      • purplemonkeymad@programming.devEnglish
        2·
        3 days ago

        The point of having a high entropy password is to protect against hackers brute forcing a leaked database of hashes.

        I don’t think you need to worry about that in this case, the special character restriction suggests to me that they don’t hash it.

      • Buffalox@lemmy.worldEnglish
        14·
        4 days ago

        The point of having a high entropy password is to protect against hackers brute forcing a leaked database of hashes.

        Seems a bit stupid if a database of passwords or other sensitive information can be brute forced.

      • Buffalox@lemmy.worldEnglish
        12·
        4 days ago

        just use a password manager

        I will never do that, I have a system instead. I never understood why people would want to use a password manager. To me it seems it ads an attack vector, where you could lose EVERYTHING!

        • stevedice@sh.itjust.worksEnglish
          4·
          4 days ago

          I guarantee your system is less secure than the worst password manager. Humans are inherently bad at choosing passwords, or anything to do with randomness really.

  • expatriado@lemmy.worldEnglish
    7·
    4 days ago

    recently did one that only cared about being very long, so i typed thispasswordisfuckinglong and it took it

  • chuckleslord@lemmy.worldEnglish
    4·
    4 days ago

    I mean, 63^6 is a lot of possibilities, but just make the password longer to increase its security.

    Blocking out special characters is dumb, but as others have pointed out, they’re probably not sanitizing inputs.