loading...

Discussion on: 5 things to do before reinstalling your mac

Collapse
krkd profile image
krkd

A personal recommendation is to set up a 32 digits unique password for each service you use.

Please do not do that, at least not without some consideration first. There are plenty of software solutions, services and sites out there, that struggle with passwords that long.

The best case you get is that they strip all the characters after the 12th (which seems to be some magic length after which problems start). Worst case is that your password is accepted, then horribly mangled before being stored in the database, resulting in an inability for you to log in.

Since you are already using a password-manager, you're not re-using passwords anymore - that means, you successfully eliminated one of the biggest password-related security risks out there. Making your passwords artificially longer does not add any meaningful security.

I used pwgen -y 12 to create the password "CophohJ#eo6o" and tested it against howsecureismypassword.net. It would take a modern computer over 30.000 years to crack this password, and even if we throw a lot of computing power against it, we'd still be talking about hundreds of years that it would take for someone to brute-force this password.

Then I used pwgen -y 32 to create the password "nu5ca$JieQu1oozooph7Cu6nohchahQu", testing it against the same site. The result was that it would take roughly 2 Tredecillion years for someone to crack that password. Obviously, that's significantly longer than with a password that's only 12 characters long. But .. how realistic is it that the password in question is going to be still relevant in hundreds of years?

(Please note that you should never randomly paste actual passwords into a third-party service, I was just using this as quick way of measuring the impact of the password-length.)

If you really want to enhance the security of your accounts, add a second factor to your authentication process. Which, coincidentally, is something password managers (at least 1Password has that feature) can help you with.

Collapse
maurogarcia_19 profile image
Mauro Garcia Author

Thanks for your suggestions! Do you have any source of info about that thing you mention about not using very long passwords? I would like to read more about that topic before changing my passwords.

Great advice about using things like 2FA (that's one of the main reasons I'm using 1Password)

Collapse
krkd profile image
krkd

Thanks for your suggestions! Do you have any source of info about that thing you mention about not using very long passwords? I would like to read more about that topic before changing my passwords.

I can't give you any proper sources, unfortunately. Very few vendors tend to document that kind of behavior (for obvious reasons), so I can't offer anything more than my word, based on experiences.

  • Supermicro IPMI - the official maximum password length is 20 characters, has been for half a decade. In reality, everything that's longer than 20 characters will be trimmed and ignored.
  • IBM Sterling Supply Chain-products - the same applies here, the maximum password length is 20, but everything more than the minimum password length, 8 characters, gets trimmed and ignored. Additionally documentation states that usernames can not contain certain special characters such as ampersand. This also applies to passwords, you'll get a very useless error message when you try to use those.
  • SAP Data Access server has a maximum password length of 30. If you go over that, the software trims it down to 30 and adds a newline-symbol (???) before storing it. If you manually set the password-policy to a maximum length of 30 you'll be fine.

Those are concrete products I can name you from the top of my head. I've had disappointing experiences with European financial systems as well, but those are anecdotal and I'm not entirely willing to flat-out condemn those products because of that.