We’ve all been there.

  • Tyler_Zoro@ttrpg.network
    link
    fedilink
    English
    arrow-up
    39
    ·
    1 year ago

    Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

    • fubo@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      edit-2
      1 year ago

      Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.

      https://pages.nist.gov/800-63-3/sp800-63b.html

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      “Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

    • Rufio@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

      • EmpatheticTeddyBear@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.

        • Archpawn@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover’s algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I’ve heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren’t, so that doesn’t seem like it would work very well.

          Maybe you’re getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?

      • Proweruser@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Except you can run a dictionary attack on that and suddenly it’s only 4 variables that are cracked way faster than the first password.

      • Proweruser@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Except you can run a dictionary attack on that and suddenly it’s only 4 variables that are cracked way faster than the first password.

    • cley_faye@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into “passkey” stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.

    • Meowing Thing@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users