Archive for the ‘Security’ Category

Why are you limiting the length of my password?

Tuesday, April 8th, 2008

At what point in your infinite wisdom did you think it was a security practice to limit the length of my password to 6 or even 8 digits?

Ok, so lets play a little game. There are 94 possible characters on my keyboard, assuming that I can count (probably not though). Now, lets get something straight first, I understand that some programmers don’t know how to properly escape code, so for the sake of this argument we will leave some characters out of the possible password string.  So lets say 75, to be fair, because alot of people dont allow certain characters and I can’t count. This ~75 includes punctuation, numbers, capital letters, etc.

The following is # of digits to # of possible passwords:

1 - 75

2 - 5625

3 - 421, 875

6 - 177, 978, 515, 625

7 - 13, 348, 388, 671, 875

8 - 1, 001, 129, 150, 390, 625 - thats ~ 1 trillion possible passwords.

14 - 178, 179, 480, 135, 440, 826, 416, 015, 625 - that is 100 septillion possible passwords

… It goes on

Now, we all know computers are fairly badass, which would you feel more secure with? Especially, knowing that someone has a password cracking software thatis built to do nothing but generate passwords, and try them against your login?

Ok, while I will agree that 1 trillion possible passwords is a lot, and if you are not using dictionary words, it is MUCH harder for cracking software to work. With 3 more orders of magnitude, you have a much better chance that someone isn’t going to steal your password.

If we take it a bit further and add all of the possible passwords of smaller lengths to the possibilities we have shown above, the numbers increase slightly, but not enough to change the order of magnitude. It still makes a difference, and unless the would-be hacker knows your  username, and your password.

Now lets talk storage.  Your are hopefully hashing my password to store it in a database,  so the length of the password wont matter at all there.  Unless of course you are using some proprietary reversible hash so that you can give my password back to me. DONT DO THAT!

I don’t want you to send me my password back. I would much rather have to go through the trouble of resetting it, than have you email it to me.

So what is it? Why the hell are you limiting my password length?

Feel free to list sites that limit password length below. And if you can, send me a link to their reason why!

Sphere: Related Content

Posted in Security, Websites | 2 Comments »

Stop Bots from eating up Your Bandwidth

Wednesday, September 19th, 2007

If you have to pay for every KB or MB that you go over on your hosting plan, Bad Behavior may be the solution for you. By effectively blocking known link spammers and bots this script will effectively lower your bandwidth usage and take the pain out of your hosting bill at the end of the month. It is open source and works with Wordpress, Joomla, and any PHP based site.

Bad Behavior promises to never block search engine spiders like Google, Yahoo, and MSN while protecting your site and your wallet.

They have a blog on the site that discusses spam, link spammers, and the likes.

Bad Behavior

Sphere: Related Content

Posted in Bandwidth Concerns, Hosting, Open Source, PHP, Security | No Comments »

Original Design by: Enblogopedia | Remix Design By SeoClear.com

27250 pages viewed, 93 today
8263 visits, 49 today
FireStats icon Powered by FireStats