1280
Passwords (lemmy.world)

We've all been there.

you are viewing a single comment's thread
view the rest of the comments
[-] Tyler_Zoro@ttrpg.network 39 points 1 year ago

Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

[-] fubo@lemmy.world 22 points 1 year ago* (last edited 1 year ago)

Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.

https://pages.nist.gov/800-63-3/sp800-63b.html

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

[-] Rufio@lemm.ee 10 points 1 year ago

I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

[-] ArianaGrande@lemmy.world 8 points 1 year ago

Yeah, the most recent one for me was creating a password at lemmy.world

[-] Tyler_Zoro@ttrpg.network 1 points 1 year ago

I wouldn’t say obsolete because that implies it’s not really used anymore.

I'm not sure where you heard someone use the word "obsolete" that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.

[-] Rufio@lemm.ee 3 points 1 year ago
[-] CoderKat@lemm.ee 6 points 1 year ago

For today's 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn't favoured.

[-] EmpatheticTeddyBear@lemmy.world 1 points 1 year ago

I'm still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.

[-] Archpawn@lemmy.world 2 points 1 year ago

Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover's algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I've heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren't, so that doesn't seem like it would work very well.

Maybe you're getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?

[-] Proweruser@feddit.de 0 points 1 year ago

Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.

[-] Proweruser@feddit.de 0 points 1 year ago

Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.

[-] cley_faye@lemmy.world 3 points 1 year ago

People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into "passkey" stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.

[-] Strobelt@lemmy.world 1 points 1 year ago

Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users

this post was submitted on 14 Jul 2023
1280 points (100.0% liked)

Technology

59578 readers
2192 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS