Password De-Complexity
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Not allowing special characters helps a little bit with all of the rules in the linked article. The article is about XSS only. Then there could be SQL injections, command line injections, etc. on top of this. For maintainability due to XSS, if one developer encodes something in the context of an HTML attribute, and then another developer refactors it and moves the same information into a hidden HTML element or a javascript code block, the second developer better update all of the different encoding rules! This applies to both server and client side code dealing with the data. XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP[^]
-
Thanks for checking it out. I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it. You can make the site/key anything (any string of chars) you want it to be. So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRememberI've kept it open so only you know your site/keys. thanks again for checking it out and for commenting.:thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I agree. The point is a sha256 hash is a value on the order of 2^256. That's 1.1579208923731619542357098500869e+77 -1 So basically we are saying: My password is one out of the set of all 256-bit numbers. Guess it now. :) If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway. :-D
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
-
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Nish Nishant wrote:
Sorry, your math's not right :)
Hence the disclaimer. :-) I knew I was way off, and somebody would correct me. Was not disappointed.
To get back to my original point, what I am trying to convey here is that a longer easier to remember password is often safer than a shorter harder to remember one. That said, it's not all black and white. :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
To get back to my original point, what I am trying to convey here is that a longer easier to remember password is often safer than a shorter harder to remember one. That said, it's not all black and white. :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
Plamen Dragiyski wrote:
but it is not as difficult as this calculation.
I agree with you. I was basically summarizing for brevity and generalizing for analogy in order to explain it without all the details. Thanks for adding to the conversation. Always like to think about how to make these things more clear and more correctly explained. :thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
using gesture or swipe input on mobiles, too hard to do some of the specials
Sin tack ear lol Pressing the "Any" key may be continuate
That just means you're not using the right keyboard[^] :-\
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
raddevus wrote:
Those silly password checkers will say they are of medium complexity.
Ya, sure. I was only off by one character when I tried to guess your password. :laugh:
There are only 10 types of people in the world, those who understand binary and those who don't.
Off by one character, in EVERY character position :-)
-
That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
But we still use it on our corporate iPads now that a lock code is enforced as accessibility is more important than security for demo apps.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
-
Typing passwords on mobile devices is the worst! That's one of the big reasons I created C'Ya Pass so you never have to type a password again. You can get the free Android version right now. This really isn't spam. It's totally related. You can read my articles here where I formulated this new idea of generating passwords that are SHA256 hashes (probably as unhackable as a password could ever be). You can also get the windows version of C'Ya Pass at my site: C'YaPass: F*orget All Your Passwords | Never Memorize A Password Again <br/> Never Type A Password Again <br/> Never Make Up A Password Again[^] I'm really not trying to be spammy. You can read all about technology behind this here at CP in my articles.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
I just want Android to include a general, always available, "see password" option. Mine are nearly all English sentences or phrases, so it's more typing on a wee tiny touch screen and lots of chance of mistakes.
Follow my adventures with .NET Core at my new blog, Erisia Information Services.
-
I just want Android to include a general, always available, "see password" option. Mine are nearly all English sentences or phrases, so it's more typing on a wee tiny touch screen and lots of chance of mistakes.
Follow my adventures with .NET Core at my new blog, Erisia Information Services.
Yeah, it's really difficult. You could type your password in a Note app copy and paste into the target I guess? Thank goodness paste still works in password fields (most).
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.