Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Password policy

    Discuss
    password feature-request
    4
    9
    307
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • yusf
      yusf last edited by girish

      Inspired by reading the MSC2000 spec suggestion for Matrix, I want to suggest something similar for Cloudron. Have a look: https://github.com/matrix-org/matrix-doc/pull/2000

      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        We used to have strong password policies before and there were overwhelming number of mails to remove them 😕 And we did. We just stuck to 8 minimum length and since then nobody has complained.

        1 Reply Last reply Reply Quote 1
        • mehdi
          mehdi App Dev last edited by

          I totally agree with the removal of such policies. Most studies have shown that the only good policy is length. Everything else makes passwords "hard for humans, easy for computers", which is bad.

          However, I think @yusf suggestion is to make them configurable by the admin. Some IT departments may have dumb policies they have to follow, and may need it

          1 Reply Last reply Reply Quote 2
          • girish
            girish Staff last edited by

            I was also pointed to https://xkcd.com/936/ 🙂

            W 1 Reply Last reply Reply Quote 4
            • W
              will @girish last edited by

              @girish @mehdi That comic is funny, but pretty horrible advice from a crypto perspective. Longer, more complex passwords are a better. That's why god invented password managers. 😊

              Here is a great thread that goes over both sides.
              https://www.reddit.com/r/technology/comments/1yxgqo/bruce_schneier_on_choosing_a_secure_password/cfovs83/

              And... apparently this is a thing:
              https://correcthorsebatterystaple.net

              mehdi 1 Reply Last reply Reply Quote -1
              • mehdi
                mehdi App Dev @will last edited by

                @will That comic is actually great advice 🙂

                Nobody is saying that longer and more complex aren't better as pure security. The point is that longer but less "complex" (as in less character classes, etc...), is much easier for humans, and much harder for computers, which (for passwords that a human must remember) is better.

                Of course, when you can use a password manager, and have passwords that are long AND complex, it's the best. But there's always at least the password-manager's password that you'll have to remember 🙂

                1 Reply Last reply Reply Quote 0
                • W
                  will last edited by

                  Using dictionary words, even seemingly random is really bad advice. One method my mom used was take lyrics to a favorite song, take the first letter of each word and use that for a password, mix up a little to your liking. Thats WAAAAAAAAAAAAAY more entropy than using a string of dictionary words.

                  1 Reply Last reply Reply Quote 0
                  • yusf
                    yusf last edited by

                    Ah, you're probably right. I still want to be able to look for known leaked password, but that's for another topic.

                    W 1 Reply Last reply Reply Quote 0
                    • W
                      will @yusf last edited by

                      @yusf Bitwarden has that built in, I only found it the other day!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Powered by NodeBB