Default Umbraco offers this helpful hint when choosing a password for members:
Password: The password should be a minimum of 7 characters long and contain at least 1 non-alpha numeric character(s)
There are plenty of password cracking algorythms out there that are very good at predicting where people will use non-apha-numeric characters in their passwords, such that they really don't make the password that much stronger. See: http://xkcd.com/936/. It is *always* more beneficial to make a password longer instead. I.e. compose it of multiple words. Easy for humans to remember, hard for computers to guess.
I would like to suggest that this particular tip is removed, because I would like to advise users in my organisation *not* to use random capitals, numbers or non alpha-numeric characters because it's far more useful that a person be able to accurately remember their password than the very slight complexity that this adds for a cracking algorythm.
I guess the message was put in as a guideline a long time ago. Of course, general opinions towards password strengths/patterns are changing/evolving.
I'd suggest raising a ticket on the issue tracker with any suggestions/improvements you have. Also opens it up to further discussion amongst the core team.
Should member passwords really contain 1 non alpha numeric character?
Default Umbraco offers this helpful hint when choosing a password for members:
Password: The password should be a minimum of 7 characters long and contain at least 1 non-alpha numeric character(s)
There are plenty of password cracking algorythms out there that are very good at predicting where people will use non-apha-numeric characters in their passwords, such that they really don't make the password that much stronger. See: http://xkcd.com/936/. It is *always* more beneficial to make a password longer instead. I.e. compose it of multiple words. Easy for humans to remember, hard for computers to guess.
I would like to suggest that this particular tip is removed, because I would like to advise users in my organisation *not* to use random capitals, numbers or non alpha-numeric characters because it's far more useful that a person be able to accurately remember their password than the very slight complexity that this adds for a cracking algorythm.
Thoughts?
Hi Robin,
I guess the message was put in as a guideline a long time ago. Of course, general opinions towards password strengths/patterns are changing/evolving.
I'd suggest raising a ticket on the issue tracker with any suggestions/improvements you have. Also opens it up to further discussion amongst the core team.
http://issues.umbraco.org/issues/U4#newissue=yes
Thanks, Lee.
Thanks Lee
Glad you agree, I've created a ticket: http://issues.umbraco.org/issue/U4-1477
Robin
is working on a reply...