Linked Questions
4
votes
3answers
835 views
Websites Forcing Weak Password Standards (Updated) [duplicate]
Please Note: I am not going to name the websites which have these horrible standards for their clients and users.
I have had to change my passwords for my routine update just recently in the last ...
3
votes
4answers
218 views
Are limited length passwords a security risk? [duplicate]
I found a webpage where users can be registered. However, it seems that the length of the password must be between 6 to 12 characters.
Is that a security risk?
2
votes
1answer
1k views
Why do websites limit password length? [duplicate]
I just made a new account with some eGov service (Belgian government).
I use LastPass (which generates long, random strings for each site),
But the system told me that the maximum allowed length was ...
0
votes
2answers
227 views
Passwords: Symbols and length > 20 disallowed [duplicate]
I'm going through a bunch of accounts at the moment changing my passwords, some of them are looking a little weak and i've reused them, but i keep coming across websites that don't allow you to use ...
521
votes
11answers
109k views
How to securely hash passwords?
If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone?
I should point out that this relates only to retrieval directly from the ...
164
votes
10answers
36k views
Is “the oft-cited XKCD scheme […] no longer good advice”?
I was stumbling around and happened onto this essay by Bruce Schneier claiming that the XKCD password scheme was effectively dead.
Modern password crackers combine different words from their ...
217
votes
7answers
43k views
What's the rationale behind Ctrl-Alt-Del for login
Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, ...
54
votes
9answers
22k views
Why Disallow Special Characters In a Password?
The culprit in this case is a particular (and particularly large) bank that does not allow special characters (of any sort) in their passwords: Just [a-Z 1-9]. Is their any valid reason for doing ...
47
votes
9answers
6k views
Can users make use of a password manager when banks tell them never to write passwords down?
Consider a user who wants to use a password manager for their banking passwords. Advice from banks usually says they should never write down their password. The user would be concerned about going ...
30
votes
3answers
5k views
Why don't popular web services mask the CVV?
Most popular web services like PayPal, Google Wallet, and others do not mask CVV numbers, eg: (<input type="password">).
As I read, the CVV is a security feature and it seems logical to mask it ...
20
votes
4answers
5k views
Would allowing shorter passwords sometimes be more secure?
Does the act of requiring certain criteria for passwords make them easier to brute-force?
It's always seemed to me that when websites limit the use of "insecure" passwords, it might make it easier ...
9
votes
7answers
2k views
How to securely counter users from adding a single digit to their old password upon creating a new one? [duplicate]
Let's say that in the password policy the password history is defined to remember the last 10 passwords.
I understand password history exists so that if a password is recovered from a compromised ...
6
votes
3answers
2k views
Where did common “minimum password length” guidelines originate?
Not long ago, the common wisdom was that passwords should be at least 8 characters long. These days, the most common minimum is 12.
Where did these common values originate? Interestingly, 8 is ...
2
votes
4answers
461 views
Why do some passwords not allow certain types of characters?
Is there any programing related reason why some password cannot have certain characters? If the idea in storing a password is to store it's hash, since a hashing function can take any input (ok at ...
4
votes
3answers
161 views
Can a password be the same as its hash?
So me and my friend were pondering why passwords have a max length (and found the answer here) and I had an odd thought.. could a password be the same as its hash?
I realize that salted hashes are ...
