Knowledge Base
Community

Password Length

Started by: k89bpa
On: 14/01/2019 | 00:48
Replies: 28
Reply

Go to best answer
by: k89bpa
on: 14/01/2019 | 00:48

I know the minimum password length is 8 characters but what is the maximum password length?

 

In light of the fact that people have had their accounts compromised elsewhere which has led to accounts being compromised here and with the continued lack of 2FA I'd like to propose that the minimum password length be doubled and that people be forced to change their passwords every three months.

 

I believe this will drastically reduce the risk of accounts being compromised in the future and greatly reduce the risk of cross account passwords being used moving forward.

 

I recently changed all of my passwords, (everywhere, not just here), and discovered that some hadn't been updated since 2014 which is ridiculous, especially for someone so supposedly security conscious, so I can only imagine how potentially vulnerable some people have left their accounts. 

 

So to recap, I'm proposing:

 

a) Double the minimum password length to 16 characters, (12 at the very least)

b) Make users change their passwords every three to six months

Huawei P20 Pro | 9.0.0 | Data Plan: 80GB

Message 1 of 29
1 BEST ANSWER

Accepted Solutions
by: endorphin
on: 14/01/2019 | 17:15 edited: 14/01/2019 | 17:20

@rqt wrote:

" You can have very strong and, importantly, random passwords and all you have to remember is the authentication for the password manager."

 

This is very true - BUT you do have to implicitly trust the password manager - which itself is frequently an online service & therefore hackable. If hacked it would then give unfettered access to all accounts. So I think I'll not use one (online or otherwise).

True you do have to trust the password manager:

  • so use one that has a great, not merely, good reputation. I use Bitwarden which is open source meaning that it's code can be (and has been) examined for flaws, defects and vulnerabilities by anyone.
  • being online means I can access my passwords from any location and device if necessary, all I have to remember is the master password. Naturally you would not do this from a public WiFi hotspot without using safeguards, eg a VPN.
  • all decent password managers encrypt all user information so even if hackers stole the user database they would not be able to extract any useful information in a reasonable time
  • the increase in protection afforded by having different, strong, random passwords for each and every account is worth any nominal or perceived risk attached to using a password manager
Get a free giffgaff SIM/microSIM/nanoSIM with free £5 credit
Message 14 of 29
by: revjonty
on: 14/01/2019 | 03:59
Please explain. How the dickens does forcing people to change their password every 3 months improve security?

I would think it makes it entirely possible that the result would be a load of people with really easy to hack passwords, because they have to be able to remember what they put, so they would probably cycle through various obvious things. Or write the blooming thing down.
As for 16 digits minimum, go take a jump in a lake.

I've had the same 4 digit pin on my bank card for over 2 decades. Does that make it less secure than if I changed it all the time? Does it buttery. It is far more secure because it's committed to memory rather than written down.

Sorry but this is a completely ill conceived non starter.

Order a sim from here & get a bonus £5 credit upon activation


Get a free giffgaff Sim
Message 2 of 29
by: kath72
on: 14/01/2019 | 07:11
Completely agree @revjonty ... I have a secure password system with variations but it is not as long as that ... and if I had to keep changing it I’d have to write it down or keep sending myself password resets because I couldn’t remember it

I’m laughing ...I’ve had the same back pin for at least that length of time ... the only time it’s been disconcerting is when the school entry pin was, co-incidentally, the same for s year 😂😂😂
Message 3 of 29
Highlighted
by: inspiron42
on: 14/01/2019 | 08:22
I don't think changing passwords regularly adds anything to security. The main thing is to make it hard to guess or calculate, which you can't do if it is constantly changing.
Get a free Giffgaff Sim
Message 4 of 29
by: 4128334
on: 14/01/2019 | 08:41
@k89bpa
Good Morning,
I hope your suggestions are never adopted.
If you pick your Password carefully to make it unique there is no need have a minimum of 16 digits.
As a 84 year old I cannot imagine being able to remember that length of Password.
With regards to changing it every three months my remarks above apply to this proposal.
Have a Great Day.
Get a free giffgaff Sim
Message 5 of 29
by: shabazmoqsud
on: 14/01/2019 | 10:54

@k89bpa with the secruity problems and scams on going with giffgaff its not enough for members to change there passwords everything 3 months as others have said giffgaff as a network provider have to do more ie 2 factor authethication as well as security questions attached to each member account.

Get a free giffgaff Sim
Message 6 of 29
by: endorphin
on: 14/01/2019 | 11:12 edited: 14/01/2019 | 11:25

Where account security is paramount then specifying longer passwords and the regular changing of passwords makes sense. Changing passwords regularly means that if a site does get hacked and unencrypted logon credential are stolen you stand a chance of foiling anyone who purchases the information as this could take time for the hackers to process and act on the information.

 

Having different, strong and unique passwords for each site makes total sense and this is where password managers play there part. You can have very strong and, importantly, random passwords and all you have to remember is the authentication for the password manager.

 

Having said that I doubt many giffgaff members would appreciate having to use longer passwords and to have to change them regularly.

 

However as I use a password manager myself I would not be put out should giffgaff decide to implement this suggestion.

Get a free giffgaff SIM/microSIM/nanoSIM with free £5 credit
Message 7 of 29
by: dez_d
community giff-staffer

on: 14/01/2019 | 11:44 edited: 14/01/2019 | 12:02

Not sure what the maximum length is but if I do find out then i will update here. If you want to test it I'd start with 256 then 128, 64 etc. Update: The password length is unlimited from what I've been told.

 

At giffgaff we are required to change our logins every few months. Yes it is an inconvenience but in the name of security I can see why it's worth it.

 

I use to be very guilty of using non secure passwords and they would be used across different sites. All that changed when i started here.

I personally use a password manager (Lastpass) and have done for a while. The initially changing of 109 passwords was a major pain but I know that I'm a lot more secure.

 

Now I'm not suggesting that you add any of your used passwords here but you could add a variant of it. I use to use an 8 digit password that had a capital letter, punctuation, lower case letters and numbers. I was very shocked when this website told me it would take 4 weeks to crack. That password is now not used. All my passwords are now in the trillions of years to crack.

 

If you also want a good read then check out diceware on google. There are plenty of apps that do this and I have one for iOS.

 

Here is one of my less secure passwords

Capture.PNG

giffgaff Educator

Message 8 of 29
by: rqt
on: 14/01/2019 | 11:46

" You can have very strong and, importantly, random passwords and all you have to remember is the authentication for the password manager."

 

This is very true - BUT you do have to implicitly trust the password manager - which itself is frequently an online service & therefore hackable. If hacked it would then give unfettered access to all accounts. So I think I'll not use one (online or otherwise).

Message 9 of 29
by: pault1974
on: 14/01/2019 | 14:12

41 years for a computer to crack my password?  I'm quite happy with that. Smiley LOL

 

PaulT1.png

Message 10 of 29