back to article Size does matter: Outlook.com punters want meatier passwords

Microsoft has come in for a bit of stick in security circles for only allowing a 16-character password for sign-ups to Outlook.com, Redmond's newly launched Gmail rival. The service – which has already attracted more than a million sign-ups – has a maximum password length of 16 characters, the same as Hotmail.com and Windows …

COMMENTS

This topic is closed for new posts.
  1. EvanPyle
    Stop

    What do you mean password strength does not rely on length?

    A longer password is MANY MANY MANY more times more secure than a complex one.

    http://xkcd.com/936/

    1. LarsG
      Meh

      They like to have

      An accessible open door policy.

    2. Anonymous Coward
      Anonymous Coward

      err...

      Over a certain length people are far more likely to choose well known phrases or sayings, which drastically reduced password strength.

      1. Anonymous Coward
        Anonymous Coward

        Re: err...

        Which is the same mistake as using submarine1 as a password and being surprised it gets cracked in seconds.

    3. Annihilator

      "What do you mean password strength does not rely on length?"

      Who said that? The article says password strength is more important than length alone, but also acknowledges that length is a factor in working out strength.

      But no, 1234567890 isn't many many many more times secure than, say D¬s£_"

      1. LinkOfHyrule
        Joke

        Joke alert

        I got a spam email yesterday in my new outlook.com email inbox - it said...

        "Worried, embarrassed, ashamed of the length of your password? Your password length fails to impress her? Feeling inadequate next to that fat nerdy dude in the IT office?....." etc

        Then it went on trying to flog me "herbal password extenders!"

  2. Anonymous Coward
    Anonymous Coward

    A common misconception

    "The length of a password is less important than its strength, which depends on whether the login credential uses a mix of letter, numbers and non-alphanumeric characters (good) or words that might be found in a dictionary (terrible)"

    The length of the password is in fact much, much more important to its strength than whether it uses non-alphanumeric characters and such like. See for example http://xkcd.com/936/.

    It's pretty easy to see why length is so much more important than the characters you choose -- the number of possible passwords is exponential in the length of the password, but only polynomial in the size of the alphabet you're drawing from.

    1. boatman

      Re: A common misconception

      Maybe worth a read

      http://xato.net/tag/brute-force/

      1. Jimmy 1

        Re: A common misconception (about haystacks)

        Check out Steve Gibson's site also for some interesting insights about length versus complexity in passwords'

        https://www.grc.com/haystack.htm#top

  3. Graham 24

    Or if you get a failed login for a particular e-mail address, simple deny all logins from that source IP for say, five seconds. Hardly a great inconvience to a genuine user making a typo on the password, but makes a remote "dictionary attack" (where the dictionary including all combinations of upper, lower case and digits) of even an eight-character password unfeasible.

    Granted, if someone gets hold of the underlying password database, and so can circumvent the connection and time restrictions imposed when connecting remotely, then the shorter passwords are now much weaker than longer ones.

    1. G2
      Facepalm

      @deny source ip

      <quote src=Graham 24>[...]simple deny all logins from that source IP for say, five seconds. Hardly a great inconvience to a genuine user making a typo on the password, but makes a remote "dictionary attack" (where the dictionary including all combinations of upper, lower case and digits) of even an eight-character password unfeasible.[...]</quote>

      these days it's a lot easier to do DISTRIBUTED dictionary attacks or port/vulnerability scans, denying logins from a particular ip address or address range is meaningless.

      It's better to deny logins globally to that account for x seconds/minutes and after that to add a mandatory captcha to the login for the next few hours. I've even seen servers that always ask for captcha on logins (i configure mine this way too.).

      https://www.google.com/search?q=distributed+dictionary+attack

      https://www.google.com/search?q=distributed+port+scan

      1. Graham 24

        Re: @deny source ip

        "denying logins from a particular ip address or address range is meaningless."

        It's there to preveny denial of service attacks against a single account.

        "It's better to deny logins globally to that account for x seconds/minutes ".

        If you do that, all I have to do is to log in as you with an incorrect password every few seconds, and you can never access your account. If you limit the lock out to the IP addresses that originated the failed login, the legitimate user can still get access.

        1. PC Paul

          Re: @deny source ip

          "If you limit the lock out to the IP addresses that originated the failed login, the legitimate user can still get access."

          or, you could do it the other way round: deny login attempts from any IP that has not previously successfully logged in to that account.

          Either way you need to store _some_ IP addresses, the list of previously-successful IPs is likely to be much shorter than the list of DDOSing failed login sources.

          1. Fibbles

            Re: @deny source ip

            "or, you could do it the other way round: deny login attempts from any IP that has not previously successfully logged in to that account."

            I don't see how that'd work, the vast majority of users are likely to have a dynamic IP.

  4. Anonymous Coward
    Anonymous Coward

    And if the password is hashed

    If the password is hashed and the size of the hash is (inevitably) much less than the typical size of the plaintext, then what? Do length or alphabet matter much at all?

    Still, it's good to see Graham Clueless is still constructively occupied.

    1. Colin Miller

      Re: And if the password is hashed

      Hashes are a fixed length, independent of the input length, but a property of the hash itself. Placing a maximum length of the password might be a sign that they are storing the unhashed password in a fixed length DB string…

    2. Anonymous Coward
      Anonymous Coward

      Re: And if the password is hashed

      You obviously have no idea how hashing works if you think that a resulting hash being shorter than a very long pasword has any affect.

      Might be worth doing some research

      1. Ian Johnston Silver badge
        WTF?

        Re: And if the password is hashed

        If the hash is shorter than the passwords, does it not imply that more than one password must have the same hash? And therefore that one need only find A working password and not THE original password? Not my field, so please enlighten me if I'm missing something.

        1. ed2020

          @Ian Johnston

          You're correct, but the security added by storing hashes rather than the password itself far outweighs the risks associated with hashing collisions.

        2. Daniel 19
          Devil

          Re: And if the password is hashed

          Yes, in hashes this is called a collision. When two or more plaintext items result in the same ciphertext (hash). The goal of hashes is usually not to eliminate all collisions (because it is impossible), but rather to make them as difficult as possible to generate and figure out without brute forcing through every single possible combination.

    3. This post has been deleted by its author

      1. This post has been deleted by its author

    4. Paul Renault

      Re: And if the password is hashed

      To all: I think my math is OK here, but pls forgive me. I didn't use billion, as the meaning changes depending what side of the Atlantic you're on.

      AC: I don't think you understand just how large a 128-bit number is, let alone a 256-bit number. 128 bits works out to around 3.40 × 10^38 different numbers.

      Humor me here: Fit 3 x 10^11 (three hundred thousand million) hashes in a cubic millimetre...

      A desktop HDD has an outside volume of 386,022 mm^3. At the same storage density as above, the HDD would have to be able to store 115,806,600,000,000,000 128-bit hashes or 1,852,905,600,000,000,000 bytes (1.9 million petabytes - 1.9 zettabytes) of data to match the storage density of that cubic mm above.

      To visualize just how much data that is, think how big a pile nearly two million million 1TB drives would be. The annual HDD production of any sized-storage by the three largest manufacturers is 200M - so that'd be 10,000 years' production.

      Last year, IBM announced that it is building a 120 PB HDD data repository - an array of 200,000 HDDs. That 1.8ZB HDD would represent 15,834 of IBM's arrays.

      The volume of the Earth is roughly 1.097 x 10^27 mm^3. That's a thousand million million million million.

      A planet-Earth-sized pile of 1.8ZB HDDs would be needed just to store all possible 128-bit hashes. (Seagate expects to use HAMR to produce 60 TB+ 3.5" hard drives within the next ten years - you'd still need 31,666 of 'em for ONE 1.9 ZB HDD.)

      At current rates of manufacturing, you would need every HDD produced for 2.6 x 10^21 years just to store all possible 128-bit hashes. That's 1.8 x 10^11 times the age of the universe...

      Oh, it gets worse, AC.

      To store all possible 256-bit hashes, you would need 3.40 × 10^38 Earth-size piles of 1.9 ZB HDDs.

      THAT, my friend, is sufficiently large haystack to hide a needle in.

      Password hashing IS good practice. Best practice is salted hashing, with individual, random salts (assuming the salts aren't stored with the hashes) and a slow, or a memory-intensive hashing algorithm.

      1. Anonymous Coward
        Anonymous Coward

        Re: And if the password is hashed

        "I don't think you understand just how large a 128-bit number is"

        I do understand that thank you, it's eight times wider than the 16bit numbers I grew up with, but I need some help understanding why anyone would think it's relevant in the context of a "discussion" re hashed passwords.

    5. ed2020
      WTF?

      Re: And if the password is hashed

      The one who needs to get a clue is you.

      1. Anonymous Coward
        Anonymous Coward

        Re: The one who needs to get a clue is you.

        Who? By not effectively identifying whom you are addressing, you're the one looking a bit clueless.

        1. ed2020
          Thumb Down

          Re: The one who needs to get a clue is you.

          Or you could just click the "in reply to" button and find out, oh clueless one.

          Alternatively it's fairly easy to work in out given the content of my message.

  5. Mark C Casey

    Missing stuff

    Outlook.com fails on a lot of important features besides password length.

    Two factor authentication and IMAP are two very big ones. The problem with MS is they have a very strong culture of not invented here. For example, the outlook.com team recently had an AMA (ask me anything) on reddit and the constantly repeated question of "why don't you support IMAP, we want IMAP" was repeatedly responded with a cookie cutter meaningless response typically with "we support exchange active sync" much to the derision and face palming of redditors.

    MS outlook.com simply cannot compete with gmail, they're out of touch with what people actually want versus what they think people should use/have.

    1. Joe Drunk
      Facepalm

      Re: Missing stuff

      I signed up for an account but was disappointed with both lack of IMAP and mobile support. Every email provider I use has a mobile webpage for speedy access but somehow outlook's doesn't work properly. Try m.outlook.com and it will initially open a mobile-looking outlook site but quickly re-direct you to the full website.

  6. The Alpha Klutz

    i also want it to be faster

    outlook is noticeably slower than gmail. you can see it refreshing the page dozens of times going to bay 002 bay 056 bay 089 for fucks sake just load my email up

  7. Chemist

    For really important passwords .

    I use easily remembered passphrases and these are parsed by a little (very well protected -only root readable) C program that swaps letters around, adds fixed characters, pads, adds different numbers to some characters etc. so that a simple passphrase like "Ballmer is a bum" comes out as (something) like :-

    ttxbv34jb21Mxsm1FncZpp

    Just copy/paste. Anyone see a problem ?.

    This is only for the really important ones such as finance or SSH where I think it's worth putting in a little effort. Even if someone gets local access to the computer and knows about my system they'd still have to know the passphrases ( I don't use MYBanksPassword etc. !)

  8. Don Jefe
    Unhappy

    Geek Problem

    Yes longer passwords are most certainly more secure but the geeks always overlook the user factor & they really believe people are going to use more characters than they have in their own name.

    Its never going to happen that non-professional computer users use security best practices. NEVER going to happen.

    The big rub is that major providers of software & hardware try to implement security for "the masses" but the loud voices of IT folks online scream & cry privacy issues so loud they push the providers into a half-cocked system. So thanks Sophos I guess. You've just provided another avenue for biometrics asshats to get involved.

    Thanks again.

    1. Aaron Em

      I tried the XKCD technique

      and my users revolted. Smug pricks aside, what am I supposed to do about this? Fire my users? -- including the ones who sign off on my paychecks?

  9. stanimir
    WTF?

    Password length?

    The length of a password is less important than its strength

    It's all about entropy bits and the statement alone delivers misinformation. Using 2 letters from a-z allows for more bits than the entire ASCII set altogether.

  10. Antony Riley
    WTF?

    "The length of a password is less important than its strength"

    Strength is an exponential function of a password's length.

    *Even if you throw together 5 random unrelated dictionary words, you still have ~ 200,000^5 possibilities.

    320,000,000,000,000,000,000,000,000

    An 8 letter password using a-zA-Z and punctuation is ~ 64^8 possibilities.

    281,474,976,710,656

    It would take 1136868377216 times as long to crack the password based on dictionary words using a brute force attack.

    Clearly long passwords using just dictionary words are vastly more memorable and secure than 8 letter passwords composed of random characters.

    The statement is at best misleading, though I'd go with just plain wrong.

    *Assuming 200,000 dictionary words, OED estimates a quarter of a million not including inflections

    1. John H Woods Silver badge
      Happy

      Re: "The length of a password is less important than its strength"

      "Clearly long passwords using just dictionary words are vastly more memorable and secure than 8 letter passwords composed of random characters."

      Might be true but most people don't know what many of the 200k words in the English dictionary mean. Most people have a working vocabulary of about 5000 words. I'm pretty much prepared to bet that if you asked most people for 5 random words you would get 5000^5 ~= 10^18 bits of entropy at most. So I reckon you're out by a factor of 100 million or so in you estimate.

      You're still better off with this than 8 characters though.

      1. Antony Riley

        Re: "The length of a password is less important than its strength"

        Ok, I never stated 'generated by a human', I was assuming a computer would generate both the random words and password, because humans are frankly shite when it comes to generating random sequences of anything.

        Even 5000^5 is more than 64^8. That's ignoring the fact that a normal human vocabulary is *50,000 words (and we're still not including inflections). So your argument fails even on it's own rather suspect numbers.

        *source: BBC http://news.bbc.co.uk/2/hi/uk_news/magazine/8013859.stm

        1. This post has been deleted by its author

        2. John H Woods Silver badge
          Unhappy

          Re: "The length of a password is less important than its strength"

          Wow, I can see you didn't read my post before hitting the downvote button. It actually agrees that 5000^5 is still better than 64^8. It's just a note of caution that the xkcd 'correct horse battery staple' entropy is often overestimated. I'd normally be interested to know why you think my 'argument fails even on it's own rather suspect numbers' but the fact you couldn't even read and comprehend this short post tells me all I need to know.

          1. Antony Riley

            Re: "The length of a password is less important than its strength"

            I'm kinda curious how you reached the conclusion "You are still better off with 8 characters though.".

      2. TeeCee Gold badge
        Happy

        Re: "The length of a password is less important than its strength"

        verified equine accumulator fastening

  11. NomNomNom

    It's funny this exact issue is how come I one day went into an interview for a junior developer role at a medium sized firm in Norwich and came out as their Head of Security.

    They were using an aging in-house order system which required all employees change their password every 90 days. The problem was there were no proper constraints on password length or complexity and they had discovered employees were using twatish passwords like "123" and even " " (a single space!). They wanted me to join their developer team in a project to add proper password constraints to the system. I looked them in the eye and said something like "cancel your expensive security project and make me head of security, I can fix this for you without hassle or expense". Needless to say they gave me the keys to the castle that very afternoon.

    My trick was to track the 90-day period before which an employees password expired. The night before a password expired I would remove that employee's monitor and lock it in the security room. The next day they would have to come to me for their monitor, at which point I would sit them down and oversee them entering their new password to make sure it met constraints.

    I even introduced my own password complexity scheme. To foil hackers, employees were made to fire up character map and switch to the wingding character set. They would then choose 8 symbols* and copy paste them into the new password field using the mouse. This not only foiled keyloggers but I discovered that the characters get "converted" after they are pasted into normal characters, thus even if hackers could see the new password field they would just see something like "hgfiofkg", but not the actual wingding characters behind it.

    *The symbols they choose had to be authorized by myself - which was easy as I, or a member of the security team (I say "security team" but the only other member was the bosses nephew who was more of a temp and had no idea about security) was sitting behind them watching the whole process. I disallowed simple symbols, especially arrow symbols which could potentially be easily rotated by cracking software. Although as I told my future boss in the interview, all the password crackers out mainly just try different combinations of normal letters and numbers so the last thing they'd expect is wingding.

    1. RICHTO
      Mushroom

      Ermm. and you seeing all the passwords isn't a security issue?

    2. This post has been deleted by its author

    3. This post has been deleted by its author

    4. General Pance
      Trollface

      Fantastic story

      What a ripping yarn.

    5. Aaron Em

      Two out of ten. It shouldn't be obvious you're full of shit by the end of the second paragraph. Troll harder.

    6. Anonymous Coward
      Anonymous Coward

      Why didn't you just configure the password change program to require a complex password?

    7. Annihilator
      WTF?

      Newsflash

      " This not only foiled keyloggers but I discovered that the characters get "converted""

      "Head of Security" discovers that Wingdings is just a bloody font... In other news, he flies to the moon powered only by his own sense of illusion.

      Strictly speaking, you give a guy a torch and a nice blue uniform and have him guard a small lock-up in Norwich, he's "head of security"...

      But realistically I think we're being trolled good and proper

    8. kissingthecarpet
      Trollface

      Dare I say

      Cool story, bro.

  12. tom dial Silver badge

    The security of long or complex passwords is overrated. Even for short passwords the probability of guessing a password randomly is low if only a few failed tries are allowed before the account is locked (source IP should be ignored for this). The guessing process becomes costly per account if a delay of several seconds is enforced after an unsuccessful attempt, especially if the few seconds occurs between the attempt and the failure notification and the notification provides no information to distinguish between failure to match an account at all and failure to give the correct password for an existing account. My previous employer required, at one time, 8 character passwords with a 62 character alphabet (UC, LC, Numeric, Special, two from each group), changed at least every 60 days. The account was locked on the third consecutive fail, requiring administrator intervention to unlock the account, and a new password was required at that time. The new password could not be any of the most recent 10 or have been valid during the previous 365 days and was failed if found in a password dictionary. By my reckoning, the probability of randomly guessing the password of a known account under these conditions is in the order of 1 in 10^13. The actual probability likely is several orders of magnitude larger, but still small enough to be ignored for many purposes.

    The risk that concerns me is that the provider might store the password hashes insecurely or worse store them reversibly encrypted or not encrypted at all, and that the file would fall into the hands of someone with technical skills and nasty intentions. For plain text or reversibly encrypted passwords, password length has no benefit in this case. For hashed passwords, and only those, is length of significance, and should be enough to make finding any account/password combination economically unfeasible.

    So I am leery of, and within reason avoid, services that

    (1) can tell me my forgotten password (and think twice about those who can tell me my forgotten userid);

    (2) respond in under several seconds if I make a mistake or respond to an error faster than a good login;

    (3) allow more than a small number of failed attempts;

    (4) do not require a new password after administrative action to unlock the account.

    I am much less concerned with required length or complexity, but do use more of each for such critical accounts as those with banks or credit card issuers.

    Am I wrong here?

  13. BristolBachelor Gold badge

    Sounds familiar

    A very long time ago, I had to have a MS account for acces to some dev resources (I think it was for Wince). So I created the account fine, using a fairly long but not exessively so password, and the found thst the website, ftp, dev program would only allow something like 8 chars, so I couldn't type it.

    At the end of the day though, history has shown that you just need to say you've lost your password and type in what uou find looking on Google (ask Sarah Palin)

  14. Anonymous Coward
    Devil

    Microsoft Procedure

    1. Release product

    2. Tack on security.

    3. Get people to say that, actually, this product can be very secure if it is configured properly.

  15. Neil Barnes Silver badge
    Stop

    But the problem is probably not passwords

    but with a specific target, social engineering.

    I speak from experience: this last week, my octagenarian and infirm, though mentally alert, father was relieved of over fifty grand from his bank account... having been persuaded by the black hats to hand over sufficient information that they could extract the loot.

    Although he was bright enough to insist on calling the bank, the black hats hung across the line and he believed them when they said things were OK. They then managed to redirect his phone (I haven't worked out how they did that yet) so no-one, in particular the bank, could contact him until we arranged a neighbour to wander round.

    Irrespective of the complexity of his password, it wouldn't have stopped the attack.

    (He has the money back now, thanks to the bank, and some improved protocols which require him to call someone whose voice he recognises before calling the bank (or other alleged agency)).

  16. Smithson
    WTF?

    Wingdings?

    @Nomnomnom

    I have come to the conclusion that if you're "Head of Security for a medium sized firm", then I'm Head of Security for the Queen of Sheba.

    1. kissingthecarpet
      Trollface

      Re: Wingdings?

      He's got form - I think every post by him that I've seen has been a troll.

  17. Anonymous Coward
    Anonymous Coward

    "The length of a password is less important than its strength"

    This advice is just sooooo utterly wrong, but for some reason perpetuated by even corporate IT departments. What do you think takes longer to brute force hack?

    1"3$5Az@

    or

    thisisareallylongpasswordthatIcanremembereasilybecauseitsjustanormalphrase

    Hint: work out the number of unique combinations of upper/lower case letters, digits, and symbols in each case. Let this be n, in case 1 the answer is n^8 ... in step 2 it's n^75 (unless the attacker knows that it doesn't contain any symbols or numbers, but he'd have to know the password to know that, so that arguments FUD).

    This is also why people generally "salt" the stored versions of passwords ... to make them longer, not more complex.

    1. Annihilator
      Thumb Down

      Re: "The length of a password is less important than its strength"

      All of the above is true, if and only if the attacker was using a brute force using all ASCII characters, instead of a dictionary attack (with some combinations in your case) or rainbow tables which are much more common attacks.

      Plus you've also selectively picked your quote and ignored where the article points out that length is a factor of strength anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The length of a password is less important than its strength"

        Ok, so I can put a deliberate typo in somewhere and presumably thwart the dictionary attack.

        As for the rainbow table, the example I gave was 75 characters, including at least one upper case, so the rainbow table would have to cover at least 32 (26 lower case and 26 upper case) characters.

        Now let's forget about the fact that any sensible security scheme would have the passwords salted, so it's going to be even bigger than that. Also leave out character encoding complexities, and assume 1 character = 1 byte. Even in this very trivialised case, your rainbow table is going to take up 7.6957043352332967211482500195593e+100 terrabytes, which seems to me to be a bit of a case of "good luck with that"*.

        Have I missed something?

        *Someone with more energy than me can feel free to correct me on that calculation!

        1. Annihilator
          Thumb Down

          Re: "The length of a password is less important than its strength"

          And you've posted an extreme example. "D£1A$?" would generally be seen as stronger than "twowords" despite the latter being longer.

  18. Oldfogey
    Big Brother

    So who needs security?

    Over the last few days I have opened a number of accounts on Outlook.com.

    The all have the same simple password.

    This is because they are intended to be disposable accounts for websites that insist I join with an email ac in order to use their facilities or download something or buy something - you know the sort of thing.

    There is no link back to me, and as soon as one account starts getting too much spam or junk I will dump it. Who cares if it gets hacked?

  19. upsidedowncreature
    IT Angle

    Passwords, hashing,salting...

    This talk of password hashing, salting etc has made me realise...when I log on to my bank's website, I'm asked for (say) the first, third and sixth letters of my password. This must mean they're storing the passwords in either plain text, or hashed in a reversible manner (is this the same thing as unsalted?). I'm no security expert so: is my conclusion correct and should I be concerned?

    1. JimmyPage Silver badge

      Re: Passwords, hashing,salting...

      It depends ...

      done *properly*, when the password is created, the app also creates a hashed code for each letter in the password. When you are prompted - it compares your input with the hash. Systems like this should be more secure, because even if you speak to an agent - you never give them your whole password (so they can't hightail it out back and hijack your account).

      However, you highlight one thing: once you have entered your password, and pressed "return" you have absolutely no idea what happens to it. Which is why you should NEVER reuse passwords.

      1. stanimir

        Re: Passwords, hashing,salting...

        @JimmyPage

        the app also creates a hashed code for each letter in the password

        That's absolutely useless - generating all the letters to match the hash probably takes one micro second (incl. adding the salt, if present).

        1. Anonymous Coward
          Anonymous Coward

          Re: Passwords, hashing,salting...

          "generating all the letters to match the hash probably takes one micro second (incl. adding the salt, if present)."

          So?

          My bank's attempt at this kind of thing locks you out after three or so consecutive failed attempts.

          In this set of circumstances, surely it's not the time it takes to generate the hash that matters, it's the chances of being right first time?

          1. Anonymous Coward
            Anonymous Coward

            Re: In this set of circumstances

            The secondary password fragments are just a fallback measure

            - to avoid keyboard sniffing by entering from a drop-down list, so if some automated attack has already uncovered your ID and password it still doesn't have access

            - to provide an extra variable, so some chancer looking over your shoulder (or watching a spycam) is left guessing.

            At least that's how my bank does it.

          2. Anonymous Coward
            Anonymous Coward

            locks "you" out after three or so consecutive failed attempts

            So anyone who can guess your user name can have you locked out, right?

            1. Anonymous Coward
              Anonymous Coward

              Re: locks "you" out after three or so consecutive failed attempts

              "anyone who can guess your user name can have you locked out, right?"

              Correct, but irrelevant in these particular circumstances.

              It's not an internet-only bank, it's a telephone and online bank. Their telephone service is open 24x7 (x365), and the telephone folk can quickly remove the lockout using a *different* set of security questions. I know, I've used the facility several times (usually a little while after routinely changing the password and then forgetting the new one).

              In a case where such independent re-authentication was not provided, an option might be to have a limited lifetime block of an hour or three. It'll sort itself out after a while, whilst still providing adequate security and adequate deterrent for most folk.

              Other more creative alternatives are possible, especially in an era where cellphones (and, increasingly, smartphones) are near ubiquitous.

              Now, where were we?

    2. stanimir

      Re: Passwords, hashing,salting...

      They can store multiple hashes on a randomly picked parts of the password. However if they ask just a few letters - it's all bad, there is some non-trivial chance to guess it.

    3. kissingthecarpet
      Devil

      Re: Passwords, hashing,salting...

      That's that V by V shite. Here's a short explanation of why its crap.

      http://www.links.org/?p=591

  20. PaulR79
    Unhappy

    Lots of sites add to the problem

    I have a random selection of passwords I use when joining sites and I sigh heavily when I enter a password only to be told that my password must "contain numbers and letter only". If you ignore that you then run into some stupidly short 'maximum' length at around 16 characters. Remembering different passwords over numerous sites is hard enough without having to shorten what you might use on some sites.

    1. Anonymous Coward
      Anonymous Coward

      Lastpass ?

      Generates passwords for you and you can set rules ... minimum length, no repeated characters, must include upper case, number, lower case, punctuation, etc

      and it's free.

      1. PaulR79

        Re: Lastpass ?

        I do use Lastpass. There are a few sites you will never want to allow it remember though such as banking, credit card verification etc. I'm also a bit wary of trusting something completely when all passwords are stored in one place like Lastpass.

  21. Anonymous Coward
    Anonymous Coward

    nsandi.com

    What about silly places that require the password to be between 6 and 8 characters long?

    Talk about limiting the ranges of required test for password guessing.

This topic is closed for new posts.

Other stories you might like