General help

 
 
Beaker
Password Requirements for Moodle.org
 

The password requirement of a non-alphanumeric character is annoying and can't really help in the password world.

If someone wants to hack you they will.

Drop the requirement please.

-Rob

 
Average of ratings: -
Picture of Marcus Green
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

I have a 250Mb word list that would suggest otherwise. 

 
Average of ratings: -
Picture of Dan Marsden
Re: Password Requirements for Moodle.org
Group DevelopersGroup Moodle Course Creator Certificate holdersGroup Particularly helpful MoodlersGroup Translators

Hi Robert - requiring non-alphanumeric characters improves the security of your password quite significantly - there has been a lot of research on this.

here are some useful links:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

 
Average of ratings: -
You either love it or you hate it
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

No it doesnt!

It just creates a culture of writing down ones password down or sticking it the computer monitor on a post IT note.

The application of forcing people to create non-rememberable passwords is counter productive. They either have to write them down or forget them completely

Thats my ten pence worth anyway

 
Average of ratings: -
Picture of Richard Bakos
Re: Password Requirements for Moodle.org
 
Average of ratings: -
Picture of Marcus Green
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

You make a good point Albert, one of my Christmas presents last year was a book called Against Security, which discusses the wider areas of security as a process and security as theatre and the importance of the human and cultural issues involved.  However people can be taught to create easy to remember yet hard to crack passwords quite easily. 

One of my fathers favorite jokes was that Albert Ramsbottom was fed up with his name and decided to change it to Fredrick Ramsb0tt0m-.

According to the how secure is my password site it would take a desktop PC about a year to crack the password Ramsbottom and about 4,000 years to crack the password Ramsb0tt0m-.  However as I teach my students, most hackers are not evil geniuses and they will go for the low hanging fruit and walk around the desks until they find that handy little yellow sticky bit of paper.

 

 
Average of ratings: -
Gmads
Re: Password Requirements for Moodle.org
Group Particularly helpful MoodlersGroup Testers

Hi Robert,

Just add a dash to your password string. How annoying can that be?

 
Average of ratings: -
Beaker
Re: Password Requirements for Moodle.org
 

Annoying.

That research is not very good research.

Google considering a FOB is about the only real password protection.

One more point, who is after my Moodle.org password?

Paranoid much?

 
Average of ratings: -
Gmads
Re: Password Requirements for Moodle.org
Group Particularly helpful MoodlersGroup Testers

If you consider that annoying... anyway, I doubt that Moodle admins will disable that requirement, but who knows?

Key fob.

 
Average of ratings: -
Picture of Marcus Green
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

"That research is not very good research."

What do you base that statement on?

 

 
Average of ratings: -
Beaker
Re: Password Requirements for Moodle.org
 

You really think an @ sign will secure your password?

 

 
Average of ratings: -
Picture of Marcus Green
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

Security is a process. Adding complexity to a password can make it more secure. What do you think security is?

 
Average of ratings: -
Picture of Douglas Broad
Re: Password Requirements for Moodle.org
 

Added length could balance lack of special characters.

Mixing languages could help. Added length could help.  Each should be an option.  Allowing special characters makes the system as difficult as requiring them IMO.

Which is more difficult to crack?

A. Password1?

B. Eintwo3vier5six

C. WhicHismehrdifFiculttocraCk

The last 2 passwords mix languages and hide duplicate characters within a word by changing case.  Whatever is used should be easy for humans to remember and difficult for computers to crack.  Of course, the lazy man would choose A.

A case where special characters would probably aid crackers would be:

this-is-my-password

Some websites offer a heuristic analysis to determine password strength rather than a set of fixed requirements.

 
Average of ratings: -
Picture of Christian Herman
Re: Password Requirements for Moodle.org
Group Particularly helpful Moodlers

Ah, security vs. usability.

Your suggestion is a best of both worlds approach as people have to be taught how to create secure yet rememberable passwords.

At my last company I developed a relationship with the branch IT head.  The company changed the admin password on a montly basis so he had no problem telling me what it was on the last day as he typed a lengthy string on my PC to authorize a system update.  The company had no requirements except length.  Employees were later encouraged to use extended phrases of personal meaning for thier own passwords.  They are easy to remember and hard to breach with brute force.  Perhaps not quite as secure against confidence schemes but I never saw post-it'ed passwords around the office.

The admin password he typed? "savethecheerleadersavetheworld"

For the record, I find the requirement of non-alphanumeric characters annoying.  I also find the requirement of numerals annoying.  I guess I'm hard to please...

 
Average of ratings: -