| HN Mirror

It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?

[1] https://en.wikipedia.org/wiki/Credential_stuffing

raddan 125 days ago

The problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.

Should being the operative word...

I recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.

The amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.

One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:

Uh4zB4DP55WD!

Apparently I was a bit salty with the system when I set it.

The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.

That's pretty funny on a few levels, not in the least that they required a "secure" password like that but stored them in plain text.

raddan 125 days ago

I regularly conduct transactions at the branch of my local bank wherein they ask me for no credentials whatsoever. I also once forgot to bring my account number with me and the teller said "no worries, I'll look it up for you." Kind of horrifying.

lostlogin 125 days ago

Oh! But that’s safe! Secret question time: What’s your mother’s maiden name.

jazzyjackson 125 days ago

It helps that it’s a jailable offense to make fraudulent transactions

doubled112 125 days ago

Isn’t unauthorized access to a computer system also a jailable offence in most places?

Would using the password you gain through this social engineering be doubly illegal?

tonyedgecombe 125 days ago

My bank’s password field is case insensitive. Of course they could have lowercased it before hashing but I doubt it.

abustamam 124 days ago

That's scary. I wonder if incompetence like that could lead to a lawsuit in the case of a breach.

At this point I wouldn't be surprised if there exists a system that just asks for username with a checkbox "check here if you are the owner of this account"

Yeah I was a bit shocked... like... you're not supposed to know that!

tshaddox 125 days ago

I bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."

But it's a maximum. It prevents people that want to use passphrases from doing so.

unethical_ban 125 days ago

Until the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.

jamesfinlayson 125 days ago

Sounds about right. One of Australia's big four banks had the online banking password requirement of exactly six characters for a long time - for similar reasons I assume.

I think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.

I started using passphrases after I saw this xkcd https://xkcd.com/936/

When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.

delta_p_delta_x 125 days ago

correct horse battery staple; knew it before I clicked the link.

https://haveibeenpwned.com/Passwords

Whoops, I've been pwnd!