I can't seem to find a straight answer to this question. Does anyone know the maximum length a Google account password can be?
It appears to be 100 characters.
Wow, that must be some secret stuff you are working on!
That would be supercalifragilisticexpialidocious three times plus one character.
Yeah, I'm working on some quake-proof accounts. ;)
I just use my social security number for important quake-proof accounts. It's 11 characters, so that seems pretty secure. Do you think that's a bad idea?
100 characters is a strange number. I would think they would do 64 or 128 so I could use a hash of my social security number ;-)
Seriously, they're probably storing it as a hash anyway.
I certainly hope that they're storing my passwords as a hash. ;)
Most of my passwords are about 20-25 characters of randomized characters, numbers and symbols. If I know the maximum password size a service will support I'll just generate a password around that size.
If you're using your SS# I hope you're hashing it a few times at least.
Bill.... you should know me better than that by now.
I use a password manager (usually Lastpass, but previously Roboform) and I randomly generate passwords using as much variety as allowed (some systems only allow alphanum), though usually only in the 10-12 char range.
I suppose I should go through and vet all my old passwords and make them a bit longer and check for any legacy passwords based on words (the only time I really use a word is when it is a throwaway account, in which case it's usually the same old word and let the hackers in; no skin off my back).
Quote from: ergophobe on April 13, 2011, 05:13:58 PMBill.... you should know me better than that by now.
Yes, I neglected an extra smiley at the end of that one. ;)
LastPass is my preferred tool these days as well. 10-12 characters is a bit short for me though. Try taking the
LastPass Security Challenge to see how your list stacks up: https://lastpass.com/index.php?securitychallenge
Wow, you guys were serious.
You know, as much as I put on, I dont think anyone would really gives a shit about me or what I think or do. If someone was hell bent on figuring me out I'm pretty sure they could. And then we would be faced with what they could possibly do if they broke my secret codes. Post some crazy post here or on Facebook? Really? Do you think you could tell the difference? Sure my bank password is different than the rest, but what could you possibly do that would cause me enough anguish that I would feel I needed a 99 character password?
Am I naive? Or too self centered? I'm having trouble finding the line in the sand...
If we're auto-generating random passwords that we're never going to remember without a tool then why not go for a more secure password length? It's no more effort to generate a 5 character password than it is 100. 100 characters may be a bit overkill, but I wanted to see how big they were allowing.
What's the point? I don't want to make it easy for anybody to just "figure me out" online simply by cracking a password. They're going to have to work for it...on each and every site. However, you're right that there probably isn't a need for passwords that long and complex on the web for the most part. You'd want something moderately complex and random, and then you should never use the same password on more than one site.
What could they do with access to your accounts? That would certainly vary on the account. A Google account could be connected to a wealth of information depending on the person and what they have stored in there. Could somebody gather enough information out of one or more of your accounts to impersonate you and use that to financially harm you? It is being done.
>Sure my bank password is different than the rest, but what could you possibly do that would cause me enough anguish that I would feel I needed a 99 character password?
I don't know about 99 chars, but in the short term, a major problem would be access to hosting accounts. A permanent one would be registrar accounts.
I hear you, Dras, i guess I was fixated on the 99 character part. Seems like at some point there are deminishing returns.
I guess it goes w out saying that you can't access anything unless you are on that machine so if you are mobile, your machine dies, gets stolen, etc you would spend your whole life requesting a new passwords?
I dunno. I guess I should stop using 'password' for all my passwords then.... :)
Yeah, I should have known that you should have known.
>>LastPass Security Challenge
That's a handy tool - the detailed report is excellent.
And it all gets me thinking about how much is just in my email and how old some of my passwords are.
>>Lastpass
I find Roboform actually works better, but just not $30/machine and $20/year better.
>>Isn't Roboform or equivalent the new weakest link?
That crosses my mind often. You may well be right in your approach...
Quote from: JasonD on April 14, 2011, 06:06:38 PMI'd rather have a few passwords - All "secure enough" with a couple of mega secure passwords - and use them appropriately depending on the place I log into. I know this all in my head so Last Pass, RoboForm etc isn't the weak link.
It's not just the security of the passwords themselves, you don't want to use the same passwords across sites. You never know when one of these places is going to be compromised. The recent Gawker site hack got one of my passwords, but it was unique to that site and couldn't be used elsewhere even if they could have figured it out.
Perhaps I am a bit too trusting of some security people I know who have vetted LastPass. Everything appears to be encrypted locally before being sent off "home". I'm convinced that they couldn't do anything with the information that gets sent, otherwise I wouldn't consider having a weak link like this in the chain. The strong password I have on that account, plus the second factor authentication required to get at my account gives me some sense of security. You can choose from a random code matrix that you carry in your wallet, a USB key or a YubiKey. Someone could get my password, but not my account unless they had my key as well. If they've got me and my key then I have bigger problems to worry about.
That's my abbreviated calculation of using this particular app. But I agree that nothing is safer than your own noggin. Mine just isn't big enough to carry all of the passwords I want in the format I want. The best password is the one you can't remember in my book.
Like the Gawker example I mentioned before, it's just a matter of time before one of the sites with one of your "secure" passwords screws up. Then somebody has access to all of the sites where you used that particular login. I certainly understand it's a tradeoff.
I would not use programs like roboform. Don't trust them. Especially since my fear is that they might send all my passwords to someone, or could.
Strong protection for weak passwords
The passwords of the future could become more secure and, at the same time, simpler to use. Researchers at the Max Planck Institute for the Physics of Complex Systems in Dresden have been inspired by the physics of critical phenomena in their attempts to significantly improve password protection. The researchers split a password into two sections. With the first, easy to memorize section they encrypt a Captcha – an image that computer programs per se have difficulty in deciphering. The researchers also make it more difficult for computers, whose task it is to automatically crack passwords, to read the passwords without authorization. They use images of a simulated physical system, which they additionally make unrecognizable with a chaotic process. These p-Captchas enable the Dresden physicists to achieve a high level of password protection, even though the user need only remember a weak password.
more:
http://www.eurekalert.org/pub_releases/2011-04/m-spf042011.php
Shouldn't that be the HTML5 <cough></cough> to work on an iPhone.