|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
24 Dec 2012, 03:30 AM | #1 |
Junior Member
Join Date: Nov 2003
Posts: 25
|
SUGGESTION: unlimit password
The limitation of passwords to 16 characters is just ridiculous. Please uncork it.
|
24 Dec 2012, 04:58 AM | #2 |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
Yep, already done in Runbox 6: https://rmm6.runbox.com/mail/account
The password requirement is now 6-64 characters. - Geir |
24 Dec 2012, 10:58 AM | #3 | ||
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
Tried to change my password, and this happened:
Quote:
Quote:
Three problems there: 1) My password is valid. Your password validation formula is not. There is no reason to ban any character between ASCII codes 32 and 126 (including the space character). You're going to hash it anyway, right? 2) Just because my password doesn't contain a number doesn't mean that it is "too uniform". Password strength is a factor of N^L, where N is the size of the character space, and L is the length of the password. A bit of math will quickly tell you that L is much more important than N. 3) We're all responsible adults, aren't we? By all means, please warn me if you think my password is weak. But it should be a warning, not an error, as long as the password isn't something like 1234. I appreciate that the password limitation has become a little less ridiculous than it was before, but unfortunately, the ridiculousness factor is still a little too high for my taste. |
||
31 Jan 2013, 08:34 AM | #4 |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
Runbox 6 allows the following special characters in account passwords, in addition to the regular a-z, A-Z, and 0-9:
Code:
+?=()&,.:;-_/*@!#~`#$%^&[]{}|\'"<> Regarding the nonuniform requirement: Password strength is a factor of not just character set and length, but also of unpredictability -- which is where numbers and special characters are helpful. Password crackers typically start with dictionary words and they rarely contain numbers or special characters. In other words, requiring numbers and special characters increases password strength. And yes, we might all be responsible adults, but Runbox is responsible for keeping the entire service secure, which includes protecting accounts from hijacking. Unathorized access to a user account not only hurts the user but potentially all other users if the hijacker uses the account to send spam (which in turn could get Runbox blocked by other services). Therefore we now require a minimum level of password complexity. - Geir |
31 Jan 2013, 06:01 PM | #5 | |
Senior Member
Join Date: Jan 2003
Posts: 113
|
Quote:
Do you have a security measure in your system that disallows a lot of tries? Is the user of the account warned when such an attack has taken place? If dictionary / brute force attacks aren't possible, then I could (I don't say I will) use a smaller unpredictable password that is easier to memorize. |
|
31 Jan 2013, 07:17 PM | #6 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
|
31 Jan 2013, 08:13 PM | #7 |
Senior Member
Join Date: Jan 2003
Posts: 113
|
|
31 Jan 2013, 08:21 PM | #8 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
Fine. So the attack is possible, but becomes pointless after 10 attempts (or 3 minutes or whatever). That's precisely my point.
|
31 Jan 2013, 08:39 PM | #9 | |
Master of the @
Join Date: Dec 2007
Location: Hiding under my bed
Posts: 1,465
|
Quote:
That would be a wonderful feature. I mean, even Hotmail has that one, right ? It would also be great to have something like a "trusted pc" feature — not simply as Hotmail uses it (for password/account recovery), but for two-step authentication at login (a la Gmail's 2FA). Since I access my email strictly from my single home computer, this option would be very useful, not to mention reassuring. |
|
31 Jan 2013, 09:20 PM | #10 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
It would be extemely irritating to find you were locked out of your account because someone had tried/failed to get access.
Even more so if it was a free account - the hassle of getting the account back. That's why 2FA is so very important. On a similar thread, a friend had his smartphone enabled with a pattern lock for security. Someone, being clever/messing about, with his unattended 'phone, tried numerous patterns, but only managed to ensure that the smartphone owner was locked out of his own device! |
1 Feb 2013, 02:40 AM | #11 | |
Cornerstone of the Community
Join Date: Sep 2005
Location: Oslo, Norway
Posts: 555
Representative of:
Runbox.com |
Quote:
Kim |
|
1 Feb 2013, 02:45 AM | #12 |
Senior Member
Join Date: Jan 2003
Posts: 113
|
But do you have built in some protection against such attacks, like refusing a login attempt for a minute after 3 incorrect attempts for a specific account? That would make brute force attacks useless.
|
1 Feb 2013, 04:06 AM | #13 | |
Cornerstone of the Community
Join Date: Sep 2005
Location: Oslo, Norway
Posts: 555
Representative of:
Runbox.com |
Quote:
The end solution is clearly two-factor authentication and we are working on implementing that. Kim |
|
1 Feb 2013, 04:31 AM | #14 | |
Senior Member
Join Date: Jan 2003
Posts: 113
|
Quote:
So, even a few seconds pause after each incorrect login will be enough to block a successful brute force attack. |
|
1 Feb 2013, 05:56 AM | #15 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
|