Obligatory link to neal.fun password-game
this post was submitted on 09 Jan 2025
80 points (97.6% liked)
Ask Lemmy
31084 readers
1914 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected].
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
I've encountered a few sites that restricted repeating or sequential characters. Of course told after failing the first creation attempt. Makes things like randomly generated passphrases fun to figure out. Particularly when their idea of "sequential" involves both in alpha/numerical order, but also adjacent spacing on the (assumed?) qwerty keyboard!
Anyone remember the Password Game?
I personally hate character limits. I understand minimum character count, but I can't have more than 15 characters? Bruh
Six numbers only.
There is such a thing as good unhinged?
I'm going to need an example here...
The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force easier because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn't contain a number, and doesn't contain a special character.
It will still possibly take a billion years to guess, but it could have been two billion without the rules.
Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn't account for a brute force attempt that just selects random inputs. It could take until the heat death of the universe... It could take 3 seconds. It's up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.
It's something like the second law of Thermodynamics. It's probability, not absolute. It's possible all the gas molecules in the room arrange themselves one corner, but it's fantastically unlikely. It's possible to choose the right encryption key to a 256-bit cipher at random the first time, but it's fantastically unlikely.
Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.
Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don't have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it's not forgotten. I have to have browsers autofill for me because of this shit.
In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.
Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It's fucking bullshit. StateFarm does this too.
For me it’s the opposite - every password is generated, except for those websites that limit me to something unreasonably short like 14 chars. They need to accept longer passwords, so I can use a generated one with default complexity, not have to make up something easy to remember
I wholeheartedly disagree A long password like "this is the best password for email" is near-impossible to brute-force, while being extremely easy to remember. A short password with special characters / numbers / lowercase + capital letters, like "Emai1_Passw0rd!" is far easier to brute-force, and a lot harder to remember (which letters did I capitalize again? Which ones did I swap with numbers? What symbol did I throw in?)
Optimal password requirements are ... nothing. Because every requirement you put in reduces the parameter space an attacker needs to search. Second best is setting a minimum number of characters, because a bunch of people are stupid and will use single-letter passwords if you let them.
Write it down
Then you'll memorise it
load more comments
(1 replies)
I needed to get a certificate for digitally submitting my taxes. This, of course, requires me to set a password for it. The tax office' web site lists a number of requirements and rejects any password that does not match those (so it said). So far, so good, the usual stuff, lower and upper case, numbers, special characters, minimum lenght. No surprises there.
For one of the "special characters" I used "ö" (umlaut o), which is a normal character in my language (which is the same as the tax offices, so they should be aware of those). The web site filter happily accepted this password containing the "ö". But the back engine got a severe case of digital diarrhea from it. I had to clear my caches and cookies to completely re-starting the application process.
Another password SNAFU I had many years ago in a place using TN3270 terminals. To those who have never seen such a thing, it is a so-called "smart terminal". It does not send and receive single characters like a telnet or SSH session, but the host sends a mask to the terminal, defining fields that can be filled out, and with a "send" or "function" key (IIRC) you could send the data back. Those fields had fixed lengths, of course. You might guess the problem...
So the login screen had two fields of eight characters each: "Username" and "Password". I entered the credentials I have been given and sent them. The first thing I did was to select "change password". It opened a form with three fields: "old password", "new password", and "repeat new password". Nothing odd about that, but the fields had twelve characters. So, not knowing the particulars of that system (I was used to UNIX style terminals back then), I entered a new password that was longer than eight characters. Guess what? I logged out, I tried to log in, I was stuck. I had to ask my admin to reset my password. And had found the first of many, many bugs in that system.