Why are 10 character passwords required for this forum?


#1

Why aren’t 8 characters enough? Or even less? Forum access is not of a particularly high value.


#2

I don’t know why the specific choice was made here, but regardless: you shouldn’t care about length, you should use a random, distinct, generated password with a password manager.

I might guess that 10 is the default for the platform, and that was chosen so that it’s longer than is typical for other sites, to discourage password reuse (because shorter passwords allowed elsewhere won’t succeed) and perhaps encourage the above.

Also, I suspect in the case of this forum, a lot of people are using github federated identity assertion and thus no local passwords anyway.


#3

It’s probably just the default for discourse. For some discourse forums/users, it is a high value account.

I recommend using a password manager that will generate passwords for you, so you won’t be burdened by the requirements.


#4

I do that. The issue is that due to all the Spectre variants I’m moving to a manual system for managing passwords, and 10 character passwords don’t fit into this system well (my standard password length is 8 characters since time immemorial, except for a select few high value passwords).


#5

We’re rustaceans, we value safety :wink:


#6

How does manually managing passwords help against a sandbox-busting browser attack?


#7

All the passwords aren’t sitting in the browser memory all the time as a juicy target. Hopefully they are in memory only briefly when they are entered.


#8

:+1:

Having a GitHub account to file bugs or give feedback on tracking issues is a good thing anyway, and federating that is way better than making two forum accounts (since there’s IRLO too).


#9

Here is Jeff Atwood’s/@codinghorror’s (discourse founder) take on passwords:

We’ve read so many sad stories about communities that were fatally compromised or destroyed due to security exploits. We took that lesson to heart when we founded the Discourse project;

https://blog.codinghorror.com/hacker-hack-thyself/

Short answer: because GPUs are ridiculously fast, and most people still have sucky password (re)usage.

Money quote from the pen-tester they hired to test discourse security:

Using common password lists and masks, I cracked 39 of the 11,997 hashes in about three weeks, 25 from the ████████ community and 14 from the ████████ community.

The “starcraft2” password he recovered was a nice touch, I felt personally.

As for my personal take on it:
That password doesn’t just protect your data, it also protects our community from account-takeover trolling, which can damage the trust in the community itself, which is far more insidious than a few leaked private messages.


#10

If you’re moving due to security concerns, then 8-char passwords should be your biggest concern, much bigger than Spectre.

SHA-1 of a random 8-char password is crackable in 3 minutes on a home computer. 12 chars in ~3 years. 14 in ~2000 years. If you’re making all the effort of changing passwords, just go for 16-char ones.


#11

Then use a password manager that isn’t cloud-based. In fact, I believe there’s even one written in Rust!


#12

https://keepass.info/