Hi, I wont remember my password tomorrow because the system forced me to write one too complicated (uper cases, special characters...). I think that with a minmum of 8 characters is enough security, all other is generate problems to the users.
The reason for the complication is dictionary attacks which can crack a single word password in minutes.
A simple way to use two words like Red Rose and put a special character between such as ?, making the password "Red?Rose".
In part I have to agree with you since complicated passwords make users write them down (an instantly dismissable offense in some companies). Even worse is when users have to remember multiple user-name/passwords.
Click "Mark as Answer" on the post that helped you.
This earns you a point and marks your thread as Resolved so we will all know you have been helped.
FAQ on the correct forum http://forums.asp.net/p/1337412/2699239.aspx#2699239
I know a forum with thousands of users and hundreds of thousands of visits like this may be a target for a hacker... Anyway, the security must be a developers concern, not a user concern. We, the developers, can not give the security responsability to the
users of our application.
There must be other solutions, like block IP's on N failed logins, or use random generated images with words inside with the login... but forcing too complicated passords only decreases the number of users. Look, I am registered also with the login "jbmixed",
but I don't remember the password and I had problems to recover it. The result: months without login on this forum, and finally registering with another login (and saving my password in "My documents" folder).
I disagree...I don't believe that a complex password policy is a user deterrent, and I don't think the password policy here is that complex. For some reason, if I see a website with too simple password policy, I become wary of its security policies. I consider
my password fairly simple for this website with just alpha-numeric characters. That shouldn't be hard to remember. Forgetting password is a user concern and thats where password recovery kicks in. I don't know why it didn't work for you, but I have tested
it time and again here and it always works for me.
As a user, I won't like if the policies you suggested were in place. I won't want my IP blocked just because I tried a wrong password a few times. I won't like to every time enter a security code with my password just to keep bots away.
I consider my password fairly simple for this website with just alpha-numeric characters.
I want to point out that before the New Year we enacted a stronger password policy, which requires a minimum of 8 characters, including at least 1 uppercase, 1 lowercase, 1 number, and 1 special character. This was enacted as a security measure, to protect
site members as well as the site. At least one member has pointed out that the password requirements are now more strict than those for a LiveID, and therefore the same password cannot be used for both. I've reported this to my Microsoft contact and they
are considering what to do. Longer term, we should be rolling out LiveID to the site to help with this entire situation. But shorter term we *may* back off the strictness of the password a bit.
which requires a minimum of 8 characters, including at least 1 uppercase, 1 lowercase, 1 number, and 1 special character
What's next, would you like my first-born child? And I thought our company network policy was strict!
If my company network account got hijacked, that would be a serious
concern because I have access to numerous restricted resources that are crucial. If my forums account got hijacked, somebody might post an answer under my name. Or even worse, somebody might ask a question under my name (gasp! egad! NOOOOOOOOOOOOO!). Now
which account should logically have the stricter security?
I think this password requirement is many years ahead of its time. In a web application, there are TONS of things you guys can do to prevent programmatic hijacks. So, please do tell, why did you choose the lazy route? We're supposed look up to all of
you, and I think you should take that trust into consideration when making decisions like these. Protect our sanity before protecting our accounts, please.
If my company network account got hijacked, that would be a serious concern because I have access to numerous restricted resources that are crucial. If my forums account got hijacked, somebody might post an answer under my name.
Please consider the entire attack surface. A hijacked System Administrator account could do far more damage than a hijacked member account.
The security measure implemented was based on the recommendation of a security firm. As I stated earlier in this thread, Microsoft is considering easing up on the restrictions.
Please consider the entire attack surface. A hijacked System Administrator account could do far more damage than a hijacked member account.
That is understandable. What's stopping you guys from making your passwords as wildly complex as you wish?
I am not overly concerned with this requirement, since it's not negatively effecting me. However, if I was a new user, this would annoy the crap out of me. Probably to the point of giving up on any type of contribution (I can imagine seeing a question
that I knew the answer too, wanting to answer it, but not being able to remember my password. I would not click "I forgot my password", I would probably just leave).
jbaiguade
Member
74 Points
48 Posts
The password is too strict
Jan 30, 2008 04:56 PM|LINK
Hi, I wont remember my password tomorrow because the system forced me to write one too complicated (uper cases, special characters...). I think that with a minmum of 8 characters is enough security, all other is generate problems to the users.
Jesús Bosch
Blog: jbosch.wordpress.com
TATWORTH
All-Star
72415 Points
14017 Posts
MVP
Re: The password is too strict
Jan 30, 2008 05:16 PM|LINK
The reason for the complication is dictionary attacks which can crack a single word password in minutes.
A simple way to use two words like Red Rose and put a special character between such as ?, making the password "Red?Rose".
In part I have to agree with you since complicated passwords make users write them down (an instantly dismissable offense in some companies). Even worse is when users have to remember multiple user-name/passwords.
This earns you a point and marks your thread as Resolved so we will all know you have been helped.
FAQ on the correct forum http://forums.asp.net/p/1337412/2699239.aspx#2699239
jbaiguade
Member
74 Points
48 Posts
Re: The password is too strict
Jan 31, 2008 07:28 AM|LINK
I know a forum with thousands of users and hundreds of thousands of visits like this may be a target for a hacker... Anyway, the security must be a developers concern, not a user concern. We, the developers, can not give the security responsability to the users of our application.
There must be other solutions, like block IP's on N failed logins, or use random generated images with words inside with the login... but forcing too complicated passords only decreases the number of users. Look, I am registered also with the login "jbmixed", but I don't remember the password and I had problems to recover it. The result: months without login on this forum, and finally registering with another login (and saving my password in "My documents" folder).
This is becoming a security discussion :)
Jesús Bosch
Blog: jbosch.wordpress.com
bullpit
All-Star
21838 Points
4822 Posts
Re: The password is too strict
Jan 31, 2008 03:13 PM|LINK
I disagree...I don't believe that a complex password policy is a user deterrent, and I don't think the password policy here is that complex. For some reason, if I see a website with too simple password policy, I become wary of its security policies. I consider my password fairly simple for this website with just alpha-numeric characters. That shouldn't be hard to remember. Forgetting password is a user concern and thats where password recovery kicks in. I don't know why it didn't work for you, but I have tested it time and again here and it always works for me.
As a user, I won't like if the policies you suggested were in place. I won't want my IP blocked just because I tried a wrong password a few times. I won't like to every time enter a security code with my password just to keep bots away.
Max
Let Me Google That For You!
tmorton
All-Star
56411 Points
9715 Posts
ASPInsiders
Moderator
Re: The password is too strict
Jan 31, 2008 05:04 PM|LINK
I want to point out that before the New Year we enacted a stronger password policy, which requires a minimum of 8 characters, including at least 1 uppercase, 1 lowercase, 1 number, and 1 special character. This was enacted as a security measure, to protect site members as well as the site. At least one member has pointed out that the password requirements are now more strict than those for a LiveID, and therefore the same password cannot be used for both. I've reported this to my Microsoft contact and they are considering what to do. Longer term, we should be rolling out LiveID to the site to help with this entire situation. But shorter term we *may* back off the strictness of the password a bit.
ASP.NET/IIS.NET Website Manager, Neudesic
bullpit
All-Star
21838 Points
4822 Posts
Re: The password is too strict
Jan 31, 2008 06:03 PM|LINK
[:^)]No wonder jbaiguade is so p****d off...
Max
Let Me Google That For You!
JoshStodola
Star
13736 Points
3177 Posts
Re: The password is too strict
Jan 31, 2008 06:54 PM|LINK
What's next, would you like my first-born child? And I thought our company network policy was strict!
If my company network account got hijacked, that would be a serious concern because I have access to numerous restricted resources that are crucial. If my forums account got hijacked, somebody might post an answer under my name. Or even worse, somebody might ask a question under my name (gasp! egad! NOOOOOOOOOOOOO!). Now which account should logically have the stricter security?
I think this password requirement is many years ahead of its time. In a web application, there are TONS of things you guys can do to prevent programmatic hijacks. So, please do tell, why did you choose the lazy route? We're supposed look up to all of you, and I think you should take that trust into consideration when making decisions like these. Protect our sanity before protecting our accounts, please.
Best regards...
tmorton
All-Star
56411 Points
9715 Posts
ASPInsiders
Moderator
Re: The password is too strict
Jan 31, 2008 07:08 PM|LINK
Please consider the entire attack surface. A hijacked System Administrator account could do far more damage than a hijacked member account.
The security measure implemented was based on the recommendation of a security firm. As I stated earlier in this thread, Microsoft is considering easing up on the restrictions.
ASP.NET/IIS.NET Website Manager, Neudesic
JoshStodola
Star
13736 Points
3177 Posts
Re: The password is too strict
Jan 31, 2008 07:51 PM|LINK
That is understandable. What's stopping you guys from making your passwords as wildly complex as you wish?
I am not overly concerned with this requirement, since it's not negatively effecting me. However, if I was a new user, this would annoy the crap out of me. Probably to the point of giving up on any type of contribution (I can imagine seeing a question that I knew the answer too, wanting to answer it, but not being able to remember my password. I would not click "I forgot my password", I would probably just leave).
tmorton
All-Star
56411 Points
9715 Posts
ASPInsiders
Moderator
Re: The password is too strict
Jan 31, 2008 09:07 PM|LINK
Your point is taken, thanks. Again, as I stated earlier in this thread, Microsoft is considering easing up on the restrictions.
ASP.NET/IIS.NET Website Manager, Neudesic