Export thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Use a max length password.... or not?

#1

J

JimWilliamson

Which is more secure - to use the maximum length password a system will allow, or use a slightly shorter length password?

When using a password manager, it becomes trivial to use passwords that match the maximum length a system will allow. But, if that became practice, would that "known length" password be harder or easier to crack than using a password of slightly less than maximum length - say a random few characters shorter than maximum length? If max length became the norm - hackers would target that length only (or first).

Thoughts?


#2

Coffee

Coffee

If the max password length allowed is short, using every character (bit of entropy) permitted is essential. If the max password length is large, it won't matter if they guess that you're using that many characters because it will take them an eternity to brute strength attack.

For expedience and the quickest returns, I expect the typical hacker to go for the low-hanging fruit first. That would bias their attacks on the shorter range of password lengths.


#3

P

PHolder

If we're talking 15+ characters, I presume you're using a password manager (or writing them in a book, the analog password manager.) In this case you should be making your password truly random. There is no opportunity for password cracking when your password is 25+ characters, and there probably never will be, no matter the advances in technology. So based on that fact, it probably doesn't matter either way, but length will always make it take [much] longer to theoretically attack. (The attack might go from 10x the age of the universe to 1000x though.)


#4

miquelfire

miquelfire

I saw a site with a limit of 256 characters for the password.


#5

C

calisto

In the subject of passwords, I moved from LastPass to Bitwarden a couple of years ago. Bit by bit it took me about a month to go thru all entries. So I am thinking how to best prepare for the next time this happens. I bought an Apricorn stick to keep a cold copy of the Bitwarden dump.

I am considering changing all high priority passwords again. But this my thought is to store those passwords in an incomplete state.

For example, let us assume my bank login is now a Bitwarden generated twenty five character password. I plan to steal the first three characters, or just add three at the beginning of the password. But the passwords in Bitwarden would be saved without those first three characters that I only know. The idea is, all those passwords are useless without those three characters in my head.

That gives me extra time to take action on my end in case of a password manager hack. Should I add a few, or a lot without compromising things?

Cheers.


#6

P

PHolder

That gives me extra time to take action
Spend your energy making your password manager password secure and that should be plenty. My LastPass password was around 25 characters. I exported my passwords from it and imported them into BitWarden. I then disabled my Lastpass account, but have taken no other action. I've never reused either password, and they're long and strong enough I have seen no effect from the LastPass event. While you could take other actions, you're only going to end up making using passwords more difficult, and thus make your life more difficult.


#7

D

DanR

Which is more secure - to use the maximum length password a system will allow, or use a slightly shorter length password?

When using a password manager, it becomes trivial to use passwords that match the maximum length a system will allow. But, if that became practice, would that "known length" password be harder or easier to crack than using a password of slightly less than maximum length - say a random few characters shorter than maximum length? If max length became the norm - hackers would target that length only (or first).

Thoughts?
Please check this page out:


Here you may enter a potential password string of any length to get an "indication" of it's strength.

Note: This page sends NOTHING back to GRC.com. It is 100% private by design.


#8

xplora1a

xplora1a

My experience is that many sites don't tell you the max password length. They will accept a longer length in the entry field than the password length and then fail to recognise your longer password when you try to log in. The only way to find the max password length is to repeat this process till successful login.


#9

miquelfire

miquelfire

I had that issue with the max length once. I think the worse part was the site did have the list of requirements, but it only showed up while the password didn't meet them, and somehow pasting a password would not cause them to appear to tell me the password was too long. The error I got when trying to log in with my long password was more of a generic error, nothing that would hint I had typed in a wrong password. Imagine logging into a site and getting an HTTP 500 (or something as useless to end users like that) error instead of an incorrect login error.

Tangent: Another site must have changed their password requirements at some point. There was one of three things I was doing at the time, changing my password (LastPass to Bitwarden), changing my 2FA auth app (I just found one that worked better than what I was using), or adding my YubiKeys (and Windows Hello on my home computer, and the fact I can do that is annoying when I was adding YubiKeys to accounts that supported, as it would pop up before asking me to plug in my key!). My old password had a symbol that, at some point, they didn't allow anymore in their passwords, and having that symbol meant when I had my old password in a field, it would cause an error in doing whatever I was trying to do. That, or I wasn't doing anything with my account but logging in, and the login page was displaying the error (a "Something went wrong" error BTW)


#10

L

Lovelies

Which is more secure - to use the maximum length password a system will allow, or use a slightly shorter length password?

When using a password manager, it becomes trivial to use passwords that match the maximum length a system will allow. But, if that became practice, would that "known length" password be harder or easier to crack than using a password of slightly less than maximum length - say a random few characters shorter than maximum length? If max length became the norm - hackers would target that length only (or first).

Thoughts?
I think it depends on your threat model. If the attacker is a random person trying to gain access to the system and doesn't care whose account they log into, they will start with short passwords because most users use short ones and then increment the number of characters when they fail. In that case, use the max. If the attacker is trying to access *your* account and knows that you typically use the highest number of characters, they will start with the maximum and then decrement. If max length became the norm for most accounts, the second scenario would apply, but I don't see that happening. However, if the maximum length is more than 10-16, it doesn't matter as long as the pw is random. The attacker will run out of time before breaking the encryption.


#11

juztsteve

juztsteve

I read somewhere that it is no longer about using all type of the accepted characters in a 12-20 length password but to make it a long phrase that only you would come up with, like "ThetImehaSComefOralLGoodmEnTosItAtthEFrontoFthECla55r00m!", which would make it impossible to decipher. Maybe not that long, but you catch my drift. The idea being that it is simple to remember and impossible for someone else to crack. Regards.