I have a federal bank account that has the same limitation on passwords (letters + numbers only). The difference between letters + numbers only and letters + numbers + punctuation characters is not as much as you may think.

For an 8 character password:

Letters+numbers only = ~2.18 X 10^14 possibilities.
Add in punctuation = ~5.76 X 10^14 possibilities.

The characters used have nothing to do with saving a few bytes of data, since the password is represented the same internally regardless. But the exclusion of punctuation characters does make the web interface easier to code and easier to strip for malicious character sequences, thereby actually making it safer.

Cheers,
Brad

 

If we add just two more characters and add symbols to our little 8 character password, we theoretically lengthen the cracking time more than 70 fold over adding just two more alphanumeric characters.

If we have a 12 character password with symbols, it might take 170 times longer to crack than an alphanumeric password of the same length.

16 characters: more than 900 times improvement with symbols.

20 characters: more than 5000 times improvement with symbols.

So yes, symbols are every bit as important as I might think when I'm trying to come up with passwords with fewer characters to remember on sites that aren't federal banks.

 

Who would want to crack someone's password on LJ?

On a sensitive sign in for a bank, health related or credit cards, I understand. My passwords for forums are all pretty simple because there is nothing to protect.

 

My passwords for forums are all pretty simple because there is nothing to protect.

- Redoak49

Well let's just abandon passwords altogether, then ;-) Every time we get on the site we're given a random user name.

 

If we add just two more characters and add symbols to our little 8 character password [...]
- RobinDobbie

Now you are on the right path… The lengthening of the password (eg: going from 8 to 10 characters) will give you an exponential increase, while adding characters to the available character set only gets you a linear one.

Cheers,
Brad

 

Now you are on the right path…

Thank fark I have you to tell me I'm on the right path.

My point wasn't about lengthening the password. It was that for just about any given length of password one tries to remember, the effectiveness of the password is multiplied if it is merely allowed to contain symbols. The fun thing is, it might not even have to actually contain symbols to potentially waste some of a cracker's time.

 

no one is asking you to stay here if you dont like it you are free to leave :<))

 

no one is asking you to stay here if you don't like it you are free to leave :<))

- GR8HUNTER

WHO is your slightly OFF Comment "no one is asking you to stay here if you don't like it you are free to leave" addressed to? The Author of this Post? Try clicking on the "Quote" word to highlight who YOU are addressing. Like I just did for yours.

 

I understand making passwords stronger.

However, can someone tell me why a very strong password is needed for this site. Maybe someone hacks your account for fun but what is their to gain since there is really no usable personal information.

 

If you'd have read my original post you'd know that all I was suggesting was no limitations on password creation. If you don't want a "very strong" password, don't bother with one. I'll admit I certainly haven't. But why not have as good a password as you can get with whatever length you have chosen?

 

I understand making passwords stronger.

However, can someone tell me why a very strong password is needed for this site. Maybe someone hacks your account for fun but what is their to gain since there is really no usable personal information.

- Redoak49

read up on how hackers stair-step through accounts to get to your accounts that are really sensitive. You'd be amazed at how losing your LJ account to a hacker could lead to compromising all your accounts.

 

That is very interesting about how a hacker could use my LJ account to compromise my other accounts.

Could you briefly explain how? My passwords for sensitive accounts are just random letters, numbers and symbols and nothing like my LJ account.

Do you have any examples of how this was done to an LJ member?

Maybe I should change my LJ password from "Password"?

 

That is very interesting about how a hacker could use my LJ account to compromise my other accounts.

Could you briefly explain how? My passwords for sensitive accounts are just random letters, numbers and symbols and nothing like my LJ account.

Do you have any examples of how this was done to an LJ member?

Maybe I should change my LJ password from "Password"?

- Redoak49

LOL now you know that not your password ….. it is redoak49 LOL :<)))))))

 

Another breach on Facebook, so what?

I am bewildered that people actually keep confidential information on a site like Facebook.
In my opinion Facebook is just another "Lumberjocks like" site, why would you keep confidential information on either?

 

Now days hackers have programs that run all possibilities of password combinations beginning with "a" through any number of characters. It takes time for the program to run and what would they gain by hacking LJ?

I figure if they take the time and trouble hack my indenity, they can have it bills and all! If they charge something to me and it can't/wont correct, to hell with them. I am old enough that before a court could assess me a bill I will pass away anyway. They can't hack my cash.

 

Another breach on Facebook, so what?

I am bewildered that people actually keep confidential information on a site like Facebook.
In my opinion Facebook is just another "Lumberjocks like" site, why would you keep confidential information on either?

- oldnovice

FACEBOOK is just out to grab all it can. There is NOTHING Private on that Site! There are 1 or 2 people on here that are Addicted to Facebook! We have to many "Social Connections" on here! Everything from here goes on those "Lonely Heart" Connections. Get Rid Of Them!

 

no one is asking you to stay here if you dont like it you are free to leave :<))

- GR8HUNTER

 

I really like peanut butter

 

I really like Alder butter

- TheFridge

Fixed.
(what were you thinking?)

 

I really like Alder butter

- TheFridge

Fixed.
(what were you thinking?)

- jbay

BAHAHAAHAHAHAHA :<)))))))))))))

 

I really like peanut butter

- TheFridge

Finally something worth reading. I am going to have an apple with peanut butter right now on my Alder serving platter.

FYI - People often think of a short set of random characters like "*K>#)0$j4" as super secure, but a long string of memorable words like "golfkangaroocrispyhalitosis" is actually stronger.

The reason has everything to do with password entropy: a representation of how much uncertainty there is in a password. This translates to how computationally difficult a password is to crack. Simply put, adding length increases entropy more efficiently than replacing letters with symbols.

 

Thank you for the correction JB

You lost me at computationally difficult but it sounded smart and you like alder so you got my vote

 

computationally, entropy

where are the phasers?????

LOL

 

To the original point: punctuation and spaces can be problems for software because they are commonly used as delimiters, i.e. signal that one variable/field has ended and another has begun. "So what" might say a user, but the problems caused by these can bring some systems to a halt. Why is it a bad idea to flush golf balls down the toilet? Because the plumbing isn't designed to accommodate them. Why no punctuation in passwords here? Similar reason.

 

The no spaces and punctuation was because in the '00s, developers didn't know how to parameterized queries with the database to limit injection attacks. Things just broke when they entered spaces, so how do you get around it? Fix the programming flaw? No, just say no spaces and other punctuation that breaks it. General best practices are that you don't ever actually store the secret, you store a representation of the secret that is a result of a one way function. In that case, no character actually matters to the storage, since it is all normalized.

When someone said, "why does it matter, it's just LJ" that is because people who have gained trust in the community and post a lot are likely to be the target of spammers that are looking to access accounts and change URLs in posts to point to infected things. It's no longer about "what" is getting hacked, it's about what that now enables an adversary to accomplish.