Mandatory Password Lengths

OutThere · Nov 28, 2005

Hey...I've been thinking, since for the past year or so I've had a 1-character long password

for the forums, maybe we should ask the powers that be to put in a minimum password length.

Now, I understand that it's really stupid to have very simple passwords, but it's also asking for trouble to allow 1 or even 2 character passwords.

Instead of starting a dialogue directly with arn I felt I'd post here and see what other people felt about it. Even though we've never, to my knowledge, had a major password-stealing issue here, it might be a good idea to enable some sort of minimum length for them...what do you all think?

my password is no longer just one character, for all of you who are about to run off and start trying to log in as me!

clayj · Nov 28, 2005

I agree completely. 6 characters should be the minimum length.

emw · Nov 28, 2005

MUWAHAHAHA! None of you are safe! emw thought he had a good password but I hacked it anyway! Fool.

Alright, it's really me (I swear

) but in reality, I don't know that password limiting is all that helpful here. If someone really wanted to login as you, they could - assuming you get unlimited login choices. Half the battle is already lost, since our login user names are the same as our member IDs. If someone first had to get my user name and then work at my password, it's more difficult. Now, they just need the password.

That being said, I'm now changing my password.

Kobushi · Nov 28, 2005

OutThere said:
my password is no longer just one character, for all of you who are about to run off and start trying to log in as me!

Of course not. It's 2!

yeah, I would agree with the both of ya. Minimum password lengths are a good idea and 6 is a good one to go with (although mine is longer)

Lacero · Nov 28, 2005

I pity the fool who chooses to use 1 digit passwords!

Here's to the Crazy Ones

buryyourbrideau · Nov 28, 2005

For what reason would someone want to infiltrate your MR account...

To come onto the forums and talk trash?

Lacero · Nov 28, 2005

buryyourbrideau said:
To come onto the forums and talk trash?

Not on MR... although some of the professional forums I visit where we talk trade, there are always a few who like to stir up crap and cause trouble for the peevish majority. They do it because people in my trade have big egos, and there are trolls who want to discredit or humiliate the other person by snide comments and taking on imposter alter egos.

This problem doesn't exist on MR, thank-god.

Here's to the Crazy Ones

Doctor Q · Nov 28, 2005

A minimum password length would be a good idea, but I don't think vBulletin has an option for it. It does enforce a minimum username length (3 characters) but not one for passwords.

We have never had a report that somebody guessed a password and misused someone else's account, but it could happen in theory, and the infiltrator could gather personal information such as your e-mail address that MacRumors itself would never give out, so having an unguessable password is a good habit.

I hope nobody finds out that my password is "Q". That's the only letter on my keyboard, and "QQ", "QQQ", etc. are unpronounceable for my voice input software, so "Q" was the only choice I had

Jedi128 · Nov 28, 2005

Ummm, personally I hate when some website/forum tells me my password has to be 100 characters in length or they won't allow it. Let everyone worry about there own @$$! If they want to make a one character password, let them! We're not ur mommy!

Mitthrawnuruodo · Nov 28, 2005

Doctor Q said:
... so having an unguessable password is a good habit.

I like to go for the passwords too stupid to guess, like my all time favourite (from a Dilbert cartoon), six asterisks: ******

Edit: On second thought I just had to go change my MR password from an equally stupid password to something a bit harder to guess...

Apple Hobo · Nov 28, 2005

Jedi128 said:
Ummm, personally I hate when some website/forum tells me my password has to be 100 characters in length or they won't allow it. Let everyone worry about there own @$$! If they want to make a one character password, let them! We're not ur mommy!

^^what Jedi said.

For an informal forum, strong passwords are overkill. Now for my online bank access, I use letters & numbers.

Lau · Nov 28, 2005

Jedi128 said:
Ummm, personally I hate when some website/forum tells me my password has to be 100 characters in length or they won't allow it. Let everyone worry about there own @$$! If they want to make a one character password, let them! We're not ur mommy!

I know what you mean here. I have a system regarding passwords (I'm such a geek

) and I hate it when, say, Hotmail says "Nooo, you can't use your insecure password here" and I'm like "Er, I only use hotmail for spam. Please let me use whatever I like". I appreciate the warning, because not everyone's aware, but please don't actually restrict me. Just because Hotmail thinks it's important enough for secure passwords doesn't mean I think so.

cjc343 · Nov 28, 2005

My computer password is currently 20 characters. I was thinking about including the german double-s or some other rarely-used character that I don't know how to type on a Windows machine for (part of) my next password, but then I'd need to learn how to type it... and make sure I could type it in DOS...

I once calculated how long it would take to crack my password assuming you used all the proper character sets. I assumed somewhere along the lines of 10 million passwords per second and still figured it would take a few decades to break it... I wish I had written down that number...

It's been a few months... I need to go change all my passwords again...

sushi · Nov 29, 2005

cjc343 said:
My computer password is currently 20 characters. I was thinking about including the german double-s or some other rarely-used character that I don't know how to type on a Windows machine for (part of) my next password, but then I'd need to learn how to type it... and make sure I could type it in DOS...

I once calculated how long it would take to crack my password assuming you used all the proper character sets. I assumed somewhere along the lines of 10 million passwords per second and still figured it would take a few decades to break it... I wish I had written down that number...

It's been a few months... I need to go change all my passwords again...

I once had a very secure log in system.

You had to enter three passwords correctly in the proper order to the same prompt to get in.

For example:

Password Account A?
Password Account A?
Password Account A?

So for the first one, if you made a mistake, it replied the same as if you entered the correct password.

This was back in the old terminal days were the password was printed on paper then over stroke a few times.

There were a few folks who tried to break my password system. None did.

I loved that system.

As for MR, I would say that a minimum password length would be a good idea. Then again, if we were to go to that level, we should probably have a mix of letters (caps and smalls), numbers, punctuation, etc.

Then again, maybe just leave it up to the individual.

Sushi

emw · Nov 29, 2005

I just signed up at spymac.com just for kicks, and I hate their whole security system. Passwords are restricted, you need a "character" code as well (pick 3 of 8 images in any order). It took me about 2 hours just to register (alright, a bit of an exaggeration).

In all, for sites like this that contain essentially no personal information beyond e-mail addresses, a secure password seems to be overkill.

Doctor Q · Nov 29, 2005

I've designed my own password-entry software and one of the tricks I invented was to allow or require backspaces in a password. The software has to be watching each keystroke, rather than using a standard text-entry field, to make this possible.

A password like MACRUMOU(backspace)RS can be a bit harder for someone to steal even if they are looking over your shoulder as you type or sniffing packets on the network.

If you are one of those people who uses your dog's name as your password, I suggest naming your dog "w45h:J%L6v". It makes calling him/her a little harder, but your accounts are safer!

According to Gartner, the average office worker has 12 passwords and regularly forgets some of them. One study found that employees forget more than 4 passwords per year at a business cost of $9 per password.

emw · Nov 29, 2005

Doctor Q said:
If you are one of those people who uses your dog's name as your password, I suggest naming your dog "w45h:J%L6v".

I use my dog's nickname - l1ttl3 $#%!$@

sushi · Nov 29, 2005

Doctor Q said:
If you are one of those people who uses your dog's name as your password, I suggest naming your dog "w45h:J%L6v". It makes calling him/her a little harder, but your accounts are safer!

Hey Q, how did you find out the name of my dog?

P.S. Please check gmail.

Sushi

Search

Search

Mandatory Password Lengths

OutThere

macrumors 603

clayj

macrumors 604

emw

macrumors G4

Kobushi

macrumors 6502a

Lacero

macrumors 604

buryyourbrideau

macrumors 65816

Lacero

macrumors 604

Doctor Q

Administrator

Jedi128

macrumors 6502

Mitthrawnuruodo

Moderator emeritus

Apple Hobo

macrumors 6502a

Lau

Guest

cjc343

macrumors 6502

sushi

Moderator emeritus

emw

macrumors G4

Doctor Q

Administrator

emw

macrumors G4

sushi

Moderator emeritus

Our Staff