|
|
|
|
|
|
by dahart
3291 days ago
|
|
|
I'm personally convinced 8 chars is now too short to be safe, and I suspect real attacks are generally much faster than 8 hours for a password of that length. Using a password manager to generate random passwords you get a way to be impervious to dictionary attacks, in addition to being able to generate and manage longer passwords. I'm generally using 20 char passwords, and I'd turn it up further if there weren't so many stupid websites that limit the max length of passwords to 20 characters. For passwords I need to type, especially if I need them occasionally on a touch screen tablet, I'll use a long all-lowercase letters password. Some of them have a 'make pronounceable' option as well that gives random syllables and makes typing a 20 char password easier than typing an 8 char password of completely random characters. 20 chars of lowercase alpha is a lot more secure than 8 chars of mixed-case alphanumeric and punctuation. |
|
|
The other side is to use a fairly expensive hash, and methods to mitigate/reduce use of a login system as a DDOS vector... having the system, and database used for authentication separate from your actual application is a good start, as is exponential backoff on bad passwords by IP and username.
Moving to a separate "auth" domain that returns a signed or encrypted token, and having that in isolation won't stop your processes from running if you get too many requests for auth at once. Having an exponential and random wait before returning from a failed login is another. Keeping track of IP/user requests in an N minute block is also helpful.
token re-auth may be on the auth domain, or the actual service domain, so that can be different.