search

mitro-co / mitro

Repository for all Mitro client & server code
GNU General Public License v3.0
1.64k stars 242 forks source link

Changed the default 8 characters to 16. Default increased security. #41

Closed denadai2 closed 10 years ago

denadai2 commented 10 years ago

If a user wants, he can decrease it.

evanj commented 10 years ago

Hm. The issue here is that we attempted to set the defaults so that the generated passwords would be accepted by "most" web sites. Unfortunately, 16 characters is pretty long, since at the time we did a bit of research, a few sites had maximum length restrictions of ~12 characters. Unfortunately I don't recall the details at the moment, but this makes me slightly hesitant to increase the default. Let me bug Vijay and see if he remembers.

I agree that this is ridiculous, but the good news is that you get a huge benefit from using a unique password. While longer passwords are always better, I'm personally less worried about someone cracking my unique password on a single site, and more worried about password re-use.

denadai2 commented 10 years ago

So let's default 12... 8 is very short :)

Sent from my iPhone

On 16 Aug 2014, at 21:16, Evan Jones notifications@github.com wrote:

Hm. The issue here is that we attempted to set the defaults so that the generated passwords would be accepted by "most" web sites. Unfortunately, 16 characters is pretty long, since at the time we did a bit of research, a few sites had maximum length restrictions of ~12 characters. Unfortunately I don't recall the details at the moment, but this makes me slightly hesitant to increase the default. Let me bug Vijay and see if he remembers.

I agree that this is ridiculous, but the good news is that you get a huge benefit from using a unique password. While longer passwords are always better, I'm personally less worried about someone cracking my unique password on a single site, and more worried about password re-use.

— Reply to this email directly or view it on GitHub.

fredericmohr commented 10 years ago

+1 for 12.

It's a huge increase of security while still fitting in most password schemas and it sets a good example for not using the minimum requirements.

denadai2 commented 10 years ago

done :) I agree with @fredericmohr

evanj commented 10 years ago

This looks good to me. Let's give it a shot! Looks like I need to build a beta release of the extension this week. Give me a few days and I'll have a public build you can test.

denadai2 commented 10 years ago

;) can you also document a bit how to install/develop this extension? I would really help, but all the dirs are very fragmented and it's difficult to understand. It would be awesome to have just 6-7 lines of description like "in this dir/file you have the cripto system we use..., in this..." :) thxx