Password policy

girish

We used to have strong password policies before and there were overwhelming number of mails to remove them And we did. We just stuck to 8 minimum length and since then nobody has complained.

mehdi

I totally agree with the removal of such policies. Most studies have shown that the only good policy is length. Everything else makes passwords "hard for humans, easy for computers", which is bad.

However, I think @yusf suggestion is to make them configurable by the admin. Some IT departments may have dumb policies they have to follow, and may need it

girish

I was also pointed to https://xkcd.com/936/

will

@girish @mehdi That comic is funny, but pretty horrible advice from a crypto perspective. Longer, more complex passwords are a better. That's why god invented password managers.

Here is a great thread that goes over both sides.
https://www.reddit.com/r/technology/comments/1yxgqo/bruce_schneier_on_choosing_a_secure_password/cfovs83/

And... apparently this is a thing:
https://correcthorsebatterystaple.net

mehdi

@will That comic is actually great advice

Nobody is saying that longer and more complex aren't better as pure security. The point is that longer but less "complex" (as in less character classes, etc...), is much easier for humans, and much harder for computers, which (for passwords that a human must remember) is better.

Of course, when you can use a password manager, and have passwords that are long AND complex, it's the best. But there's always at least the password-manager's password that you'll have to remember

will

Using dictionary words, even seemingly random is really bad advice. One method my mom used was take lyrics to a favorite song, take the first letter of each word and use that for a password, mix up a little to your liking. Thats WAAAAAAAAAAAAAY more entropy than using a string of dictionary words.

yusf

Ah, you're probably right. I still want to be able to look for known leaked password, but that's for another topic.

will

@yusf Bitwarden has that built in, I only found it the other day!

charlesnw

Would it be possible to allow the policy to be set period ? That way sites with higher security requirements can meet federal / enterprise standards ?

joseph

https://forum.cloudron.io/topic/13995/password-complexity is the feature request thread (which looks like you created, thanks)