Min. 10 Char Password?

vix86 · June 1, 2019, 6:20pm

I got logged out and when I tried to log back in I found that none of my usual passes worked, so I reset it. The reset wanted a password that was a minimum of 10 characters long! Now I don’t know if this is something enforced by Discourse or not, but I think that length is a bit overkill for just a language forum. I personally feel that password strength requirements should always reflect the sensitivity of the information secured by them.

Maybe others feel more strongly about this but I think 6-8 min characters is better and if people really think the forum needs more security then maybe add in requirements on capitalization, numbers, and symbols.

fkb9g · June 1, 2019, 6:35pm

This issue was discussed here on the Discourse forum.

fkb9g · June 1, 2019, 6:42pm

This other discussion from the Discourse forum suggests the setting is configurable (for forum administrators).

unseenjapan · June 1, 2019, 7:58pm

I ratcheted min password length down to 8. I’m not comfortable with anything less than that.

wareya · June 1, 2019, 8:08pm

8 is already pushing it. Anything below 10 is easy to break with a modern computer if you get your hands on a hash, at least a fast hash like mda5 or sha2. Discourse seems to use sha2 run a few thousand times, so it SHOULD be okay, but it pretty much just adds a couple of characters worth of complexity. 8 SHOULD be okay, but not by a huge margin, I think.

Use a password manager, guys. Heck, even writing down your passwords, which people demonized in the past, is better than exclusively using really short passwords.

Rivadavia23 · June 1, 2019, 8:36pm

I normally use 75 characters (if permitted) and LastPass. You can never be too sure.

unseenjapan · June 1, 2019, 8:39pm

This is what I do. I use LastPass, and most of my passwords are auto-generated and 18 chars long. I encourage people to use a similar app if they don’t do so already, and ensure you are using unique passwords for everything.

I agree that 8 is really pushing it and could cause issues. OTOH, I’m willing to try it, as I think the original poster had a point - we aren’t securing nuclear launch codes here. If there are any security issues, however, I reserve the right to bump it back up.

phil321 · June 2, 2019, 4:40am

I write my passwords down on paper…along with a hint only re: what the password is for, so that someone finding the paper won’t be able to use the passwords.

bertoni · June 2, 2019, 11:37pm

For passwords that don’t protect vital assets, like a checking account, a password manager is fine. I would memorize important passwords, like those for bank accounts, or write them down and keep them in a safe place. Two-factor login probably is best, though. Even for an account here, 10 characters seems like a bare minimum.

HelenF · June 3, 2019, 11:21am

Except for very trivial passwords, the password strength only matters if the database falls into the wrong hands (in this case if Hosted Discourse gets hacked?) so it’s probably more important not to reuse them.

wareya · June 3, 2019, 7:05pm

And that’s where having a password manager or writing down your passwords helps. If you have to remember all your 100 passwords you’re going to start reusing them.