Hacker News new | ask | show | jobs
by yreg 1100 days ago
I don't understand what they mean by strong passwords.

From the methodology:

> If the product uses passwords or other means of security for remote authentication, it must require that strong passwords are used, including having password strength requirements.

What are 'strength requirements'? Is minimum-length-of-X a strength requirement? Apparently not, since Abide failed for the following:

> Strong password: No. Allowed us to register with '11111111'. They require 8 characters minimum, but do not check if a password is strong.

----

I don't believe in the meme of l337speak pa55W0rd$. I think sufficiently long pass phrases are fine.
3 comments
cnity 1100 days ago
Passwords tend not to be brute forced one character at a time, but by combinations of common password lists and rainbow tables. The base unit is not character in these cases but entries in the tables.

Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.

Edit: I actually mean dictionary attack, not rainbow tables, but my point still stands.

Edit 2: In fact, the password from the example ("11111111") appears in the 71st line of this password dictionary: https://raw.githubusercontent.com/duyet/bruteforce-database/...

link
yreg 1100 days ago
> Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.

And "awn-handsome-dolce-esophagi-radix-lawgiver" is more secure than "Hunter2"…

My point is that their methodology doesn't cover what do they mean by strong passwords. A sufficiently long (and sufficiently random - but how do you check for that?) pass phrase is strong in my view.

link
thfuran 1100 days ago
'Sufficiently long' is doing a lot of work though. 1$a}F is a five symbol password and so is ASufficientlyLongPassPhrase. Unless an attacker has some specific knowledge about how the passwords were generated, the latter is significantly more secure since the dictionary size for the symbols (English words, though none especially uncommon so top 5k or so should suffice) is significantly larger than that of the former (standard keyboard characters). But it's not nearly as secure as a password in the style of the former with the same number of characters as that passphrase.
link
asynchronous 1100 days ago
8 characters isn’t exactly long but I agree overall length is the main way to make a password stronger. Cue the xkcd comic.
link