On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > I think it isn't necessary to have all those special characters in > order to have strong passwords. I completely agree, it's just as impossible to guess that a password is "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to remember and type. With the peculiar password rules, I have no choice to but to do the insecure and write down passwords somewhere (whether that's on paper or on file). You're not supposed to write passwords down anywhere. About the only benefit of stupid character rules is to try and stop people putting in guessable things, like their child's birthday. But the usual rules won't stop people using "John1983$". What these rulemakers forget is that password cracking is an all or nothing venture. You have to get it exactly right to crack it, you don't get hints that you're almost correct. Really, what ought to get tightened up is the software accepting logons. There should be a limited number of attempts (3 goes and your out for a significant time limit). Any system that lets a cracker hammer away with repeated attempts is the thing that is broken. > I think the real danger with passwords is that people use the same one > (usually weak) on multiple sites, so if a site gets cracked, they are > endangered in other places. I quite agree. Along with other stupidities, such as a website telling users to login with their email address and password. Instead, it ought to ask people to login with their account name and *this* site's password. People stupidly give their credentials away to all and and sundry with prompts like that. The account creation process should specifically say not to use the same password as they use anywhere else. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
