Lowering Forum Password Requirements

[kstuart]

Hello,

Normally one would expect a user to hang around awhile before making suggestions.... but in this case, the suggestion has to do with the process of becoming a new Forum user, so I am posting now before I forget.

Meanwhile, I want to thank you for making Linux Lite - and this Forum - available for free.

There are two reasons that the Forum Password Requirements are way too strict:

1 - This is not a bank.  No one is going to go to the trouble of cracking Forum passwords - just to post to Linux Lite Forum as me.  So, even passwords like "1234" and "password" are good enough here.

2 - It turns out that requiring upper and lower case, numerals and symbols does not increase security.  In actuality, it is allowing upper and lower case, numerals and symbols that increases the number of guesses that password cracking software must use.  That is all that is needed.  There are lengthy explanations on the web, but this is succinct:

[torreydale]

Welcome to Linux Lite and its forum.  You're in the right place.

I can relate to the feeling that the password requirement shouldn't have to be so strict for the everyday forum user.  That may force someone to use a strict password here that they're using somewhere else, like their bank.  I admit when joining a forum, my gut just wants to get in and search for answers or ask my support question.

On the other hand, the forum user account database of another popular Linux distribution was breached earlier this year.  While we as individuals may not care much that someone may add or subtract to our own number of posts, what makes a forum are the contributions of the users and the knowledge base those collective comments creates.  The 3.5 years of contributions to the Linux Lite forum has some value, and it would sure be a shame if the hours people spent adding to this knowledge base went up in smoke or was tainted by a ne'er do well.

Finally, in your cartoon snapshot, I believe what makes the lower case example secure is the length of the passphrase and the randomness of the words.  But there is some merit to using more than just lower case letters (only 26 in the English language) and a space in between to form a secure password.  Password length and more characters (52 upper and lower case letters, 10 digits, and I don't know how many special characters) do have a place in creating a strong, secure password.

[Valtam]

Thank you for your feedback. There are other considerations here. For example, tough passwords as an anti-spam/bot measure. Before I increased the password strength requirement, we were inundated with bots joining the Forum. After I changed the criteria, bot registration came to an almost stand-still. It's also not a bad idea to be an educator of using good, strong passwords, that's another role I see myself in here. We state this importance in the Help Manual, and there are threads on it here.

P.S. I love XKCD!

[img height=600 width=235]http://imgs.xkcd.com/comics/what_xkcd_means.png[/img]

[kstuart]

The first point I used is subjective, as torreydale pointed out, so it is reasonable to feel that Forum passwords should be secure.

So, I should summarize the second point, which is that requiring upper, lower, numerals and special characters do not increase the security of the password, whereas allowing them does increase the security of all passwords used on the site - because the password hacking software has to do more guesses for each character.  The hacking software does not know that any particular character is upper, lower, numeral or special - because the site has allowed all.  It's irrelevant whether users actually chose upper or numeral, etc. because the hacking software cannot know your choice.

As pointed out by XKCD, only the length indicates the strength of any individual password.