Anyone still including special characters is behind the curve frankly. Working in Cybersecurity it pisses me off when anything enforces the special character requirement. It adds no security but plenty of inconvenience.
Well, sure, but I was under the impression that pass phrases that were dozens of characters long were better than passwords. That being said, I've seen almost no institution using anything but your generic 8-16 character, 1 number, 1 capital, 1 special character, none of the past 4 passwords, password template.
I think there's issues with some of the older legacy Windows systems that will straight up truncate anything past 16 characters, so that could be contributing to the issue.
Getting people to move away from old habits is a long and painful process in IT, particularly if the IT folks aren't the ones with decision making authority.
No. It does not seem to me that three words would be sufficient. However, uncommon phrases are rather good, and even better when combined with special characters.
E.g.
$%Antonio the KiA2 (user is a giant faggot)
This is close to uncrackable using traditional methods. First of all, KiA2 is not going to be present in any passwords that are now known. Secondly, if by some chance all these characters are present in some dictionary used by the cracker, then the random special characters will make it exponentially more difficult anyway.
Of course it was. Adding a special character only increases complexity slightly by adding a few extra permutations to check for each character. Adding extra characters increases complexity by orders of magnitude.
Create a password that's twenty characters long but easy to type and remember and it will never get brute forced. The way passwords actually get popped isn't by brute force attempts to authenticate with every permutation anyway. Far more likely that you get popped by a keylogger or something that pulls the password hash from memory, or an authentication token getting intercepted. No one's getting into your account by guessing your password, that's old tech. Making passwords include a bunch of special characters is nothing more than security theater for the masses.
YOU DIDN'T EVEN INCLUDE A SPECIAL CHARACTER
Anyone still including special characters is behind the curve frankly. Working in Cybersecurity it pisses me off when anything enforces the special character requirement. It adds no security but plenty of inconvenience.
Well, sure, but I was under the impression that pass phrases that were dozens of characters long were better than passwords. That being said, I've seen almost no institution using anything but your generic 8-16 character, 1 number, 1 capital, 1 special character, none of the past 4 passwords, password template.
I think there's issues with some of the older legacy Windows systems that will straight up truncate anything past 16 characters, so that could be contributing to the issue.
Getting people to move away from old habits is a long and painful process in IT, particularly if the IT folks aren't the ones with decision making authority.
I wonder what the limit is in active directory
So the XKCD comic was right when it said you should use a long compound word like "horsebatterystapler" for a password?
No. It does not seem to me that three words would be sufficient. However, uncommon phrases are rather good, and even better when combined with special characters.
E.g.
$%Antonio the KiA2 (user is a giant faggot)
This is close to uncrackable using traditional methods. First of all, KiA2 is not going to be present in any passwords that are now known. Secondly, if by some chance all these characters are present in some dictionary used by the cracker, then the random special characters will make it exponentially more difficult anyway.
Of course it was. Adding a special character only increases complexity slightly by adding a few extra permutations to check for each character. Adding extra characters increases complexity by orders of magnitude.
Create a password that's twenty characters long but easy to type and remember and it will never get brute forced. The way passwords actually get popped isn't by brute force attempts to authenticate with every permutation anyway. Far more likely that you get popped by a keylogger or something that pulls the password hash from memory, or an authentication token getting intercepted. No one's getting into your account by guessing your password, that's old tech. Making passwords include a bunch of special characters is nothing more than security theater for the masses.
I'malumberjackandi'mokay,IsleepatnightandIworkallday.
^ Impenetrable.