yusf last edited by girish
Inspired by reading the MSC2000 spec suggestion for Matrix, I want to suggest something similar for Cloudron. Have a look: https://github.com/matrix-org/matrix-doc/pull/2000
We used to have strong password policies before and there were overwhelming number of mails to remove them And we did. We just stuck to 8 minimum length and since then nobody has complained.
I totally agree with the removal of such policies. Most studies have shown that the only good policy is length. Everything else makes passwords "hard for humans, easy for computers", which is bad.
However, I think @yusf suggestion is to make them configurable by the admin. Some IT departments may have dumb policies they have to follow, and may need it
I was also pointed to https://xkcd.com/936/
Here is a great thread that goes over both sides.
And... apparently this is a thing:
@will That comic is actually great advice
Nobody is saying that longer and more complex aren't better as pure security. The point is that longer but less "complex" (as in less character classes, etc...), is much easier for humans, and much harder for computers, which (for passwords that a human must remember) is better.
Of course, when you can use a password manager, and have passwords that are long AND complex, it's the best. But there's always at least the password-manager's password that you'll have to remember
Using dictionary words, even seemingly random is really bad advice. One method my mom used was take lyrics to a favorite song, take the first letter of each word and use that for a password, mix up a little to your liking. Thats WAAAAAAAAAAAAAY more entropy than using a string of dictionary words.
yusf last edited by
Ah, you're probably right. I still want to be able to look for known leaked password, but that's for another topic.
@yusf Bitwarden has that built in, I only found it the other day!