Why do passwords have to be so difficult???

Why do passwords have to be so difficult???

by Jamie Smith -
Number of replies: 16

I just wondered if someone could explain why Moodle has made password security so complicated.

I have never used a system before (work network / banks / credit cards etc) that needs a password to have Lower Case, Upper Case, numbers, and non alpha numeric carachters before?

Whats wrong with just letters and numbers - its not we are protecting national security?

Yours frustratedly because I keep forgetting my password

Jamie wink

Average of ratings: -
In reply to Jamie Smith

Re: Why do passwords have to be so difficult???

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
There is a direct relationship between password complexity and security.

http://en.wikipedia.org/wiki/Password_strength

Just letters and numbers means a brute force tool is more likely to be able to break in

http://www.securiteam.com/tools/2QUQ2PPRPG.html

People are lazy they will pick easy to guess passwords if left to their own devices. It is still easy to come up with an easy to remember but hard to guess password. For example if you select an upper case first letter that is fairly easy to remember (and of course easy for any system to guess at), you can pick the most common punctuation character that comes to mind and then pick a number that you associate with a letter. For example (and this is a bad password but does demonstrate the technique)...

instead of password, you could use Pa33word!

By the way if you are the webmaster you can simply turn off the password policy, but if you do get hacked, you know the first point of vulnerability to check.
Average of ratings: -
In reply to Jamie Smith

Re: Why do passwords have to be so difficult???

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

You can change the password policy to suit your needs/conveniences smile

Simply go to Administratino >> Security >> Site Policies, and scroll down til the password policy settings, and change them to your will.

Saludos. Iñaki.

Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: Why do passwords have to be so difficult???

by Jamie Smith -

Thanks both for your replies - our site is actually amended so that we can match our Company policies and people can have the same password.

Its actually just this forum I was moaning about I suppose.

I have so many different accounts - work and personal - and ALL of them allow me to use letters and numbers (upper or lower case)

So I can choose 1 password for everything - apart from the Moodle forum.

I am sure I will be told I am not very secure having 1 password for everything.

But there is no way anyone is going to guess monkey63

Ooops...

wink

Average of ratings: -
In reply to Jamie Smith

Re: Why do passwords have to be so difficult???

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
You are not very secure having 1 password for everything, but I although I don't think anyone is going to guess monkey63, you might make it harder to guess by changing it to m0nkey63






smile
Average of ratings: -
In reply to Marcus Green

Re: Why do passwords have to be so difficult???

by Jamie Smith -

Maybe I will.......especially as I just saw a feature by the scare police on identity theft on TV!

clown

Average of ratings: -
In reply to Jamie Smith

Re: Why do passwords have to be so difficult???

by Derek Patterson -
I have to agree with Jamie. I can barely remember "normal" passwords, much less passwords that use obscure rules. A system that is so secure as to be user unfriendly is counter productive.
Average of ratings: -
In reply to Derek Patterson

Re: Why do passwords have to be so difficult???

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Convenience is always more important than security, until just after you have been compromised.
Average of ratings: -
In reply to Marcus Green

Re: Why do passwords have to be so difficult???

by Glenys Hanson -
Hi there,

Here one way to remember a secure password.
Create a short, memorable sentence(s) and select the first letter of each word + punctuation + numbers.

Example:

Who are you 2? My goodness!

Gives :

Way2?Mg!

Cheers,
Glenys
Average of ratings: Useful (1)
In reply to Glenys Hanson

Re: Why do passwords have to be so difficult???

by Dale Davies -
Picture of Particularly helpful Moodlers Picture of Plugin developers
Yep, a pass-phrase is always easier to remember. Usually harder for any brute force or dictionary based attack to work out. As long as the password/pass-phrase is not so obvious that anybody could guess if they know you.
Average of ratings: -
In reply to Jamie Smith

Re: Why do passwords have to be so difficult???

by Mike Landis -
I am frustrated by this too.

Many sites don't allow special characters in passwords. Some do. Some don't. I use a different password for each site but I use a password scheme so I don't have to write my passwords down.

The REQUIREMENT for a special character on the moodle forum breaks my password scheme (which must be the same for all sites or it wouldn't be a scheme!)

So I will just put my moodle forum password on a sticky note and tape it to my computer monitor. ;)

AT THE VERY LEAST with all these weird requirements for passwords, the requirements should be listed when you log in and your password fails. Then at least I could see what this place's weird rules are.

It's almost as bad as Dot Net Nuke (and other sites) mailing you your current password in plain text when you forget it.... (without telling you that they are going to do this) ... but not quite that bad!

Average of ratings: -
In reply to Mike Landis

Re: Why do passwords have to be so difficult???

by Glenys Hanson -
Hi Mike,

You might like to read this BBC article: Call to improve password security which explains why you need a "12-character combination of upper and lower case letters, symbols and digits" to be secure.

Cheers,
Glenys
Average of ratings: Useful (1)
In reply to Glenys Hanson

Re: Why do passwords have to be so difficult???

by Dale Davies -
Picture of Particularly helpful Moodlers Picture of Plugin developers
The problem is that many people (including me) use too many websites to remember unique passwords for each of them.

  • I use a "social networking" password for all social networks (12 chars but no upper case just 2 number, 1 special char combined into a phrase I'll remember).
  • And an email password (20 character phrase combined with upper case, nnumbers and special characters).
  • Banking passwords (if possible 256 bit random passwords like... "f2f68652f3653b97f0e73aa26b804d2e9226fdb3bbf907d77c09ac277c240b4e" - stored in KeyPass on my home desktop machine - not the laptop which I carry around).

This way I only have to remember 2 passwords, what is important is that your email password is different from everything else. Also, dont do banking or store important passwords on machines that you carry with you, just in case you lose that machine.
Average of ratings: Useful (1)
In reply to Glenys Hanson

Re: Why do passwords have to be so difficult???

by Mike Landis -
I would love to use a password like that. I'm all for security. But some websites do not allow symbols. And some do. My users are not capable of managing multiple passwords for their accounts.

The issue is that the login screen does not state the password requirements - so I can't know what password it needs when I'm logging in. Because I can't see the rules.

Failure to state the password requirements at login is not a security feature, either. Because that information is available to a hacker setting up a "new account."

I just wish that Moodle, and other sites, would put the requirements on the login page.

"Your password has at least one upper case character, one lower, one number, and one symbol."


For me personally, I use a password manager and have four different password schemes in use. For sites like this one (where I could really care less if someone hacks in or not) I just use my least secure one.




Average of ratings: -
In reply to Mike Landis

Re: Why do passwords have to be so difficult???

by Aaron Wells -
For what it's worth, Moodle does list the password requirements on the signup page, though not the login page.

There's actually a function in weblib.php that dynamically generates a description of the current password requirements -- print_password_policy(). So, it would be pretty easy to add that to the login page. Alternately, one can use the "Users->Authentication->Manage Authentication->Instructions" setting to paste in some custom instructions on the login page, or use the "Alternate Login URL" setting to provide an entirely custom login page.

Not that any of this changes what's up on moodle.org, but at least it would be relatively easy to put the password requirements on the login page for your own Moodle instance.
Average of ratings: -
In reply to Mike Landis

Re: Why do passwords have to be so difficult???

by Dale Davies -
Picture of Particularly helpful Moodlers Picture of Plugin developers
I can't imagine why a website would not allow special characters in their passwords, that just seems absurd to me. What they are saying is - "We dont care about security" - they probaly store passwords in plain text too.

I wonder if there should be more regulations regarding this?
Average of ratings: -
In reply to Dale Davies

Re: Why do passwords have to be so difficult???

by Glenys Hanson -
Hi Dale,

Maybe they do it so that they can more easily crack our passwords. Or am I being paranoid. mixed

Cheers,
Glenys
Average of ratings: -