SUGGESTION: unlimit password

[ezfig]

The limitation of passwords to 16 characters is just ridiculous. Please uncork it.

[Geir]

Yep, already done in Runbox 6: https://rmm6.runbox.com/mail/account

The password requirement is now 6-64 characters.

- Geir

[kijinbear]

Tried to change my password, and this happened:

Quote:

Error: Invalid password
Error: The password is too uniform. Please use a password that is harder to guess.

Dug a little deeper, and found this:

Quote:

Your password is case sensitive, and may contain the letters a-z and A-Z, the numbers 0-9, and the symbols + ? = ( ) & , . : - _ / *.

What was I doing? Nothing too special, just following this excellent advice.

Three problems there:

1) My password is valid. Your password validation formula is not. There is no reason to ban any character between ASCII codes 32 and 126 (including the space character). You're going to hash it anyway, right?

2) Just because my password doesn't contain a number doesn't mean that it is "too uniform". Password strength is a factor of N^L, where N is the size of the character space, and L is the length of the password. A bit of math will quickly tell you that L is much more important than N.

3) We're all responsible adults, aren't we? By all means, please warn me if you think my password is weak. But it should be a warning, not an error, as long as the password isn't something like 1234.

I appreciate that the password limitation has become a little less ridiculous than it was before, but unfortunately, the ridiculousness factor is still a little too high for my taste.

[Geir]

Runbox 6 allows the following special characters in account passwords, in addition to the regular a-z, A-Z, and 0-9:

Code:

+?=()&,.:;-_/*@!#~`#$%^&[]{}|\'"<>

The quoted password requirements applied to Runbox 5, but have now been updated in Runbox 6. More information can be found here: http://doc.runbox.com/twiki/bin/view/RunboxHelp/Account

Regarding the nonuniform requirement: Password strength is a factor of not just character set and length, but also of unpredictability -- which is where numbers and special characters are helpful. Password crackers typically start with dictionary words and they rarely contain numbers or special characters. In other words, requiring numbers and special characters increases password strength.

And yes, we might all be responsible adults, but Runbox is responsible for keeping the entire service secure, which includes protecting accounts from hijacking. Unathorized access to a user account not only hurts the user but potentially all other users if the hijacker uses the account to send spam (which in turn could get Runbox blocked by other services). Therefore we now require a minimum level of password complexity.

- Geir

[marc@ms]

Quote:

Originally Posted by Geir

Regarding the nonuniform requirement: Password strength is a factor of not just character set and length, but also of unpredictability -- which is where numbers and special characters are helpful. Password crackers typically start with dictionary words and they rarely contain numbers or special characters. In other words, requiring numbers and special characters increases password strength.

If a password is unpredictable then a password cracker must use a brute force / dictionary attack to find the right password. Therefore they must try a lot of passwords using your login procedure.

Do you have a security measure in your system that disallows a lot of tries? Is the user of the account warned when such an attack has taken place?

If dictionary / brute force attacks aren't possible, then I could (I don't say I will) use a smaller unpredictable password that is easier to memorize.

[janusz]

Quote:

Originally Posted by marc@ms

If dictionary / brute force attacks aren't possible

They will always be possible. What really matters is how effective they are.

[marc@ms]

Quote:

Originally Posted by janusz

They will always be possible. What really matters is how effective they are.

I doubt that. It all depends on the login procedure accepting multiple retries in a certain time. E.g. iOS deletes your data after 10 attempts.

[janusz]

Fine. So the attack is possible, but becomes pointless after 10 attempts (or 3 minutes or whatever). That's precisely my point.

[B4its2L8]

Quote:

Originally Posted by marc@ms

Do you have a security measure in your system that disallows a lot of tries? Is the user of the account warned when such an attack has taken place?

That would be a wonderful feature. I mean, even Hotmail has that one, right ?

It would also be great to have something like a "trusted pc" feature — not simply as Hotmail uses it (for password/account recovery), but for two-step authentication at login (a la Gmail's 2FA). Since I access my email strictly from my single home computer, this option would be very useful, not to mention reassuring.

[FredOnline]

It would be extemely irritating to find you were locked out of your account because someone had tried/failed to get access.

Even more so if it was a free account - the hassle of getting the account back.

That's why 2FA is so very important.

On a similar thread, a friend had his smartphone enabled with a pattern lock for security.

Someone, being clever/messing about, with his unattended 'phone, tried numerous patterns, but only managed to ensure that the smartphone owner was locked out of his own device!

[kservik]

Quote:

Originally Posted by marc@ms

Do you have a security measure in your system that disallows a lot of tries? Is the user of the account warned when such an attack has taken place?

We have found is that hackers don't use a single server to check from (that would make it easy to block). They use bot-nets to do the check and that they do these things over a very long time to try to avoid detection.

Kim

[marc@ms]

Quote:

Originally Posted by kservik

We have found is that hackers don't use a single server to check from (that would make it easy to block). They use bot-nets to do the check and that they do these things over a very long time to try to avoid detection.

Kim

But do you have built in some protection against such attacks, like refusing a login attempt for a minute after 3 incorrect attempts for a specific account? That would make brute force attacks useless.

[kservik]

Quote:

Originally Posted by marc@ms

But do you have built in some protection against such attacks, like refusing a login attempt for a minute after 3 incorrect attempts for a specific account? That would make brute force attacks useless.

We monitor this kind of behavior. Automatically locking the account will affect the end user. How long do you think the account should be locked after three failed logins? 1 minute? That would not stop the scan. 1 hour? This will not affect the scan (it will patiently start scanning again when it can), but will affect the end user.

The end solution is clearly two-factor authentication and we are working on implementing that.

Kim

[marc@ms]

Quote:

Originally Posted by kservik

We monitor this kind of behavior. Automatically locking the account will affect the end user. How long do you think the account should be locked after three failed logins? 1 minute? That would not stop the scan. 1 hour? This will not affect the scan (it will patiently start scanning again when it can), but will affect the end user.

The end solution is clearly two-factor authentication and we are working on implementing that.

Kim

I know it will not stop them, but it will dis encourage them. Brute force attacks can only work if multiple attempts per second/minute are possible, otherwise it will "take forever".

So, even a few seconds pause after each incorrect login will be enough to block a successful brute force attack.

[FredOnline]

Quote:

Originally Posted by kservik

The end solution is clearly two-factor authentication and we are working on implementing that.

Are you able to give any time scale for implementation of 2FA?