Password policy
-
Inspired by reading the MSC2000 spec suggestion for Matrix, I want to suggest something similar for Cloudron. Have a look: https://github.com/matrix-org/matrix-doc/pull/2000
-
I totally agree with the removal of such policies. Most studies have shown that the only good policy is length. Everything else makes passwords "hard for humans, easy for computers", which is bad.
However, I think @yusf suggestion is to make them configurable by the admin. Some IT departments may have dumb policies they have to follow, and may need it
-
@girish @mehdi That comic is funny, but pretty horrible advice from a crypto perspective. Longer, more complex passwords are a better. That's why god invented password managers.
Here is a great thread that goes over both sides.
https://www.reddit.com/r/technology/comments/1yxgqo/bruce_schneier_on_choosing_a_secure_password/cfovs83/And... apparently this is a thing:
https://correcthorsebatterystaple.net -
@will That comic is actually great advice
Nobody is saying that longer and more complex aren't better as pure security. The point is that longer but less "complex" (as in less character classes, etc...), is much easier for humans, and much harder for computers, which (for passwords that a human must remember) is better.
Of course, when you can use a password manager, and have passwords that are long AND complex, it's the best. But there's always at least the password-manager's password that you'll have to remember
-
Using dictionary words, even seemingly random is really bad advice. One method my mom used was take lyrics to a favorite song, take the first letter of each word and use that for a password, mix up a little to your liking. Thats WAAAAAAAAAAAAAY more entropy than using a string of dictionary words.
-
Ah, you're probably right. I still want to be able to look for known leaked password, but that's for another topic.
And we did. We just stuck to 8 minimum length and since then nobody has complained.