Knasher wrote: » That's equivalent to putting a limit of 5 letters to user names. It's safe enough then but you haven't really saved anything by doing it and you have put an upper limit on the number of registered users. Just to be exact, if you only allow letters and numbers you would be limiting yourself to 376992 users only. (and to take it a little further, boards passed that number in September last year)
red menace wrote: » I also work in IT and I know people are using the most retarded passwords ever My current password is touching 30 characters long, it sometimes takes me more than one attempt to get it right
The Left Hand Of God wrote: » Do you agree with a 30 day forced password change limit? I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO
SuperInfinity wrote: » Eh? 26 characters plus 10 numerals (26+10)^5 = 5,2521,875. If you allows upper and lower case letters: 62^5 = 916,132,832
SuperInfinity wrote: » Besides, there's no good reason that a password should be limited like that.
SuperInfinity wrote: » What if I want a very long username? Also there's the fact that you have to press tab....
red menace wrote: » It would make brute forcing boards really simple. Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised
SuperInfinity wrote: » This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password. Any implementation of it to make it harder to brute-force could be directly copied in the password-only scenario by treating the first and second parts differently. Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.
Knasher wrote: » It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one. The reason you don't need a username for truecrypt is because there is only one correct password.
KeithM89 wrote: » Well i hope no one else is using 'password' as their password....
SuperInfinity wrote: » This isn't true at all. That's like saying any combination of usernames and passwords could be tried.
SuperInfinity wrote: » It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab".
Knasher wrote: » Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.
vibe666 wrote: » no it isn't. if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user. if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.
SuperInfinity wrote: » vibe666. You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.
vibe666 wrote: » the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?
SuperInfinity wrote: » could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.
vibe666 wrote: » in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing? for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).
vibe666 wrote: » obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now? the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.
vibe666 wrote: » this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.
SuperInfinity wrote: » I am willing to defend it, that's why I'm arguing for its merits.