Password Rules and where to find and record them
I have a question about Password rules and how/where to record them?
For example, Microsoft site wide has imposed a 16 character limit on passwords. Wouldn't it make Diceware and Pronounceable passwords ineligible or weak?
Apple has its own rules and again Diceware and Pronounceable are ineligible or weak.
Practically every site probably has different rules and requirements.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@wkleem: It's a very difficult problem — both for us as users and for 1Password — because it varies to wildly from site to site. Personally, I just deal with this on a case-by-case basis when I update a password, since many sites do change their rules over time, so any I record for future reference may become obsolete anyway. One particularly troublesome issue I've experienced a few times is a site's form will accept a password which is invalid according to their rules, and it's simply truncated without any warning. So when I try to login with my 48-character password later (which the site ostensibly accepted), the login attempt is rejected — for example, because only the first 20 characters were saved as the new password.
Your example of word-based passwords on sites with low length limits is a good one. But generally speaking, it isn't necessary to use a word-based password except in very specific circumstances. and in cases where the length is so short, it's much less troublesome to enter a character-based password than if, for example, the length was 32+. But in those cases where a word-based password is desired and the limit is low, regenerating to get a new random password can get you one with shorter words at least, if you're lucky. :)
0 -
I've been trying to make sense of the new NIST requirements that I have only glanced at.
Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”
That's the trouble with complex passwords, how does anyone expect to answer it over phone tech support?
0 -
@wkleem: Interesting. I have only ever been asked for a password once on the phone, and I refused to give it. Let's face it: setting aside the fact that we're not supposed to give login credentials away in the first place, unless the password is truly ridiculous (e.g. "monkey"), it's still a nightmare to read it over the phone (trying to synthesize the NATO phonetic alphabet I never memorized). Frankly, it's a little ridiculous to impose any limit on password length or composition since no one should be storing actual passwords, but rather hashes of them. I can dream, can't I? :lol:
0 -
I have had the experience with security questions over the phone with Apple and others. Those ought to be banned, as we all know.
0 -
@wkleem: Ah, yeah. That's a whole other can of worms. We really want to have randomly generated "answers" to these to benefit our actual security (contrary to the cynically-named "security questions" themselves), but that brings us back to your original point. Unfortunately there isn't a perfect solution. Personally, I just avoid making phone calls as much as possible for this reason. But of course sometimes it's necessary, so I have to just close my eyes and think "happiness". :unamused:
0
