Why is password length limited to 15 characters maximum?
That limits the maximum theoretical password entropy to 98.325 bits (6.555 bits per character from 94 character printable ASCII set minus space).
An example of maximal length password with current policy wL}2Fbrs%B&/PL& has only 91 bits of entropy.
Why not allow longer passwords?
I have passed your input on to our web operations team.
Intel uses Single Sign-On and the Intel(R) Developer Zone does not really control these requirements.
Intel(R) Developer Zone Support
*Other names and brands may be claimed as the property of other
Thanks, I appreciate passing it on.
I am asking Intel to allow longer than 15 characters passwords, not to enforce them so your question whether you would use them is not relevant -- you don't have to (but you would be wise to do so).
Also, I can list you some terrible 12 character passwords right here -- for example Mypassw0rd1! meets Intel complexity rule, but it is broken in mere seconds because it has only 41 bits of entropy.
Rationale for my request is:
1. So many passwords have been leaked that all passwords up to and including 12 characters are no longer considered safe.
2. Minimum length should be increased from 8 to 12
3. People are terrible at generating secure passwords, that job should be done by password managers.
4. Since we all should use password managers it doesn't matter whether it is 15 or 20 characters, it's not us remembering them.
5. Even memorizing and typing 20 char [a-zA-Z0-9] password if you do not use password manager (and you should be by now) is easier than typing 15 char password with special characters and because of length it still has more entropy and is therefore more secure / harder to crack.
As for Yahoo, do not confuse operation security with password rules. Yahoo had a security breach which has nothing to do with password rules.
I have heard that some private organizations use a combination of MD5 & their own hashing algorithm to store passwords (in that order) so that secrecy can be maintained. I was wondering if this could be the solution to the problem or if we could just run multiple hashing algorithms a bunch of times.
Sergey Kostrov wrote:
>> If these private organizations doesn't encrypt MD5 signatures, stored in their databases, then these systems could be compromised if MD5 signatures are stolen. It is not too difficult to reconstruct a source string of characters from already existing / known MD5 signature.
Wait, really? But aren't these hashing algorithms are designed to make sure that they cannot be reversed in any practical way? Being one way and all. I mean, if it was upto me then I would probably run a hash 5 to 10 times and keep the key somewhere hidden and isolated in another offline server.