8 should be totally acceptable

image

discourse is obsessed with security

they even put the entire software in a docker container

this is clearly a topical transgender topic

1 Like

Unfortunately they don’t seem to get that security should be “good enough” and not “as good as possible”. Do you agree that 8 characters is a good enough length for passwords?

Is it because of security or ease of deployment?

Here the programmer of discourse talks about it

Perhaps you’re a skeptic. That’s great, me too. What happens when we try a longer random.org password on the massive cracking array?

9 characters 2 minutes
10 characters 2 hours
11 characters 6 days
12 characters 1 year
13 characters 64 years

Alright, Jeff is a great programmer and I use his creations every day (discourse and stackoverflow). I’m by no means in a position to say he’s wrong… and he really isn’t.

Also, I find it great that he chose to go for password length instead of mixing different classes of characters, as it’s been proved that increasing password length is way more effective than increasing the alphabet range.

Note however that these numbers:

come from a simulation of off-line attack i.e. the attacker has your entire database in his local storage. If that’s the case then a difference between 2 hours or 2 minutes is irrelevant. All our sensitive data would be in their hands anyway (I suppose discourse has a telemetry system that stores our location and other sensitive data).

And… If you leaked your entire database you have a lot more to worry about!

tldr: Making the minimum password length 10 instead of 8 has little security benefits and compromises a lot of usability.

Jeff Atwood has always been a theory over functionality guy lol

1 Like

same with me, I almost made this forum only for male lesbians, but then realized that would probably not be very functional

Basically a public chat with DarthDva?

yesss

1 Like

“Password must be 10 characters… password must have upper and lower case… password must have one of the following symbols @, &, %, #, !, +, - etc etc)”

Let me just use one of my random ass passwords and fuck off… hate how places increasingly put these restrictions to make it idiot proof.

1 Like

He wants to make discourse passwords nation-state-hacking safe in the near future for what it’s worth.

lol its less secure if you forget your own password hahaha

1 Like