How long should a password be?

bitwarden·BitwardenbyNemeski

How long should a password be?

https://bitwarden.com/blog/how-long-should-my-password-be/Open link View original on lemm.ee

Comments19

noride

lemm.ee

correct horse battery staple

Alk reply

sh.itjust.works

How did you steal my password??

UndulyUnruly reply

lemmy.world

Witchcraft! Get them!

fxomt

lemm.ee

einkorn reply

feddit.org

And then there are those services that let you enter arbitrarily long passwords in the registration form but only save something like 16 characters.

Mike Wooskey reply

lemmy.thewooskeys.com

I hate this situation. What horrible design choices in their code!

fxomt reply

lemm.ee

amorpheus reply

lemmy.world

How would you know?

fxomt reply

lemm.ee

amorpheus reply

lemmy.world

No, that's the point, you'd never know whether they only validate a subset of the password. Only by testing different variations you would know that less than the whole string still works.

fxomt reply

lemm.ee

amorpheus reply

lemmy.world

I wouldn't speculate on how common it is but limiting passwords seems to happen more than it should. So maybe many are taking the stealth approach.

One site I know where this happens (at least I experienced it some years ago) was Blizzard. Found out by sheer luck after I clearly fumbled the end of my password and was logged in regardless.

einkorn reply

Amen

Toes♀

People gotta stop doing QkFEcEEkJFcwUkQ=

aQuickBrownFoxJumpedOverALazyDog$nuggle9 is far easier to remember and secure.

Deebster reply

infosec.pub

The article is from Bitwarden, which is a password manager - using them you don't need to remember individual passwords (or type them, normally).

Bitwarden does have an option to use passphrases, I just tried it and it gave me washtub-moocher-dominoes.

cynar reply

lemmy.world

I use auto generated passphrases. It's mostly for the occasions where I need to give the password to someone, without logging into my bitwarden account, on the device. It's a lot easier, for comparable levels of security.

fxomt reply

lemm.ee

Toes♀ reply

ani.social

Not really, you have a better chance if you use a completely random set of words. I remember hearing of someone getting their bitcoin stolen from their wallet despite their password being from an obscure Afrikaans poem.

Precisely why I salted it.

fxomt reply

lemm.ee

Toes♀ reply

ani.social

Always something a bit unique, can't make it predictable if someone managed to dump a list of em. This also isn't the formula I used just an example. Random words is also better if your memory is decent, they can even be your salt.

swab148 reply

lemm.ee

I'm more of a SphinxOfBlackQuartz,JudgeMyVow:3 kinda guy

criitz reply

reddthat.com

I switched to using word phrases after having to type in these Qjdu37hYdu4sjdh&) |] >[vry monstrosities or communicate them to someone else one too many times.

smeg

feddit.uk

Interesting to see the linked list of the top 100,000 passwords from the Have I Been Pwned data set

Crazy_Cow029 reply

lemmy.dbzer0.com

Looks like the link is broken now.

Edit: A part of the list can be found here and here.

LOOOOOWTAPERFADE

discuss.tchncs.de