The minimum password length is far too high. Please lower it.

Longer passwords = higher security (if you're using a decent password to begin with)

If it's too long, why not save the password in a text file?

Have you seen what the password length is lately?

(Spoiler: It's 12)

I will agree here, 12 is way too excessive. Way way way excessive. 8 is more appropriate.

Also if you can never remember passwords, use something like lastpass which securely stores passwords.

Yea, when I had to change my password, I had an 11 character password but that did not work so I was forced to use my longer password that I could remember which is much more.

I still have a 22 character password, and I memorize it very well.

8 characters can be brute forced in about 2 days. 12 characters takes about a month. That is the reason why we use more. I doubt anyone will go through the process of brute forcing an MD5 hash that will take them 1 month to find, should they get hold of the database.

If you can't remember it or use an 8 character password, stick 4 numbers on the end. Easy peasy, problem solved.

Edit: Those time figures might not be right actually, since the calculator I used didn't say what algorithm it was using. Point being the time it takes increases exponentially with length. The longer the better.

But equally all these noobs who think 'OMG I HACKED A FORUM LOL!!! LOOK GUISE I R HACK TEH FORUM!!! LOL!!1!' won't spend two days because they're all little kids who want to 'prove' that they can 'hack' computers, and that's the kind of person who would hack a forum such as this. Someone really dedicated would spend a month, yes, because they'd be a sad person with no life, but how many of these people would actually target this forum? None that I know of because this place doesn't attract those kind of people.

achem. keyword *bruteforcing*

that means a bot that is gonna try and do:

00000
00001
00002
00003
and so on til it figures it out

at least I think..... either that or I'm being dumb.

That is right. That is brute forcing. Takes a long time but eventually, they would get the code/password/whatever.

Nonetheless, 12 character password for a small forum with very little to be gained is still overkill and isn't very well justified. Yes longer password is more secure, but for a forum is pointless. Surely you can see that. BA is not a multinational bank.

I'm not a computer security expert, and most likely you're not either.

phpBB uses its own hash, so that would be harder to hack.

phpBB3 might have it's own algorithm, but it can still be brute forced. Keeping to a 12 character minimum prevents that being easy. If you're that bothered, don't visit BA. It's that simple. If you think we're bad, wait until you go working somewhere that you use a computer every day on. They'll be subject to even stricter passwords. My work requires you to have Alpha-numberic and symbols with a length of 16 characters, force changed every 2 weeks, and you can't use any password you used before, so it has to be different.

If you can't be bothered to remember a password 12 characters in length, why are you using a computer? 12 characters takes 2-3 seconds to type. My password is longer than 12 characters and I can type it in 2-3 seconds so why can't you?

Stop being so childish, grow up, and accept that you might have to, god forbid, make an effort when you come here.

Not really, it's just marginally slower and not really any more secure than a salted MD5.

I doubt anyone would bother brute-forcing most of the passwords if they got hold of the database. I strongly suspect a dictionary attack would be more than sufficient, and much quicker too.

Doesn't phpBB have the ability to lock out an account after x number of failed password attempts? 12 is a bit high, but I managed. Its nothing like those government passwords that require 15 characters with the following character not being like the preceding. (a7B3c4 etc...

There is a big difference between a website, and a place of work. Place of work, of course there's going to be bigger tougher tighter restrictions. It's obvious you've set in your mind that 12 character minimum is staying, I've stated I find this overkill, I've given up.

It's also not childish. That comment did get me a bit annoyed for a second imo.

I always believe in long passwords, since my login password exceeds 17 Character and it's well known for me and it only requires me just 1.5 seconds to write it.

Of course in work there should be high restrictions, especially where telecommunications management systems are present.

Just a last word: Security updates won't stop. New technologies were and will still be on-the-way for everybody who need to protect his work against non-permitted users from modifications.

@Rioter: Hope you have a good day and nobody will annoy you

Edit:
@Andy: Maybe he doesn't mean to annoy you. It's OK.
Now I think he has known what's the risk in having a short password.

Matt, it is childish because a password with a few extra characters is hardly the end of the world. Deal with it.

Pffffft. Considering the drunken shouting already happening outside, good luck with that one.

@Andy, it's not childish. It would be childish if I had no reason to complain other than to complain. I've given a fair argument.

Yeah I agree. Stop babying me. I don't need every website to hold my hand when creating a password. If I choose to use a small password. Let me. It's my choice. The chances of someone hacking it are slim to begin with it's not worth worrying about just for a few extra characters which brute force programs it would only take about a second or two longer anyway. I don't see why everyone so paranoid about it or why every site I go to I have to have my hand held.

You just don't get it do you? This isn't just for your safety, it's for the sites safety as well. As I said earlier if you're unhappy, nothing forces you to be here. It's a small thing, deal with it or leave. I've had enough of people who whine about stupid things like this. It's hardly the end of the world. DEAL WITH IT.

That's a rather selfish attitude wouldn't you say?

The password there for a reason. It's there to allow you access to protected information within the site. If it weren't that important then we wouldn't need the login system at all. If you leak your password, or it gets hacked then people that are not supposed to be here will get in and get access to protected data, as well as being able to do considerable damage to the site. Would you like people to be able to get into your account and flame, upload trash and get you kicked off the site? All because you were lazy and chose "beta1234" as password? A password that is VERY easy to crack. The password is as much for your own safety as well as for the sites. With todays increasing attacks we need to use a password that doesn't take 10 seconds to break into. And you obviously need to be hand held since you're not understanding why you need a password.

As for everyone else whining that the password is long and hard to forget etc etc, learn to cope. This is not only an issue with BetaArchive but with every other place on the net. You can easily write it down in a notepad, put a Post-It (not at work!) or whatever. I myself use a tool called KeePass to keep track of all my logins. The database itself is protected by a keyfile, password or both. Once you unlock it you can easily categorize and sort your login info, not only to websites. And if you want to do it a bit more hightech you can get yourself a biometric scanner. It's not foolproof but it will allow you to use long passwords without anyone guessing them on the lunch break. A lot of laptops come with them already and you can get a desktop one for cheaps.

You people need to learn to create a system for yourselves when it comes to passwords. More or less every service on the net today requires a login of some kind and it can be hard to remember them all, so work out a system. Use a phrase with capital letters and numbers for example.

We understand the hardship with keeping track of the zillions of passwords needed everywhere, but rather than whine and nag at us come up with a better solution that allows us to keep security and ease of use at the same time. As I said, this isn't an issue only at BA, but an issue with any computerized society today. And no company has come with a decent solution yet. Which is why you need to think for yourself and create a solution that works for you. Like finger biometry, smartcards, key management software or just a piece of paper.

Right, now I've had something to eat, things are working again and I'm feeling less like a miserable useless person.

I understand the limit is there for a reason, for site security. I still feel it's overdoing things. I can't name one site that requires you to have a 12 character password. Either way, true, it IS NOT the end of the world, just an annoyance. This topic got a bit out of hand with arrogance on ALL sides.

If you're like me, who cannot remember a long password (I struggle enough to remember my paypal password at the best of times) then use a password manager like LastPass which will generate a secure password. Though when you're away from your home computer, you're stuffed.

Or you can do something simple like using a short password twice back to back... "Password1Password1" for example would be a perfectly fine password and it's easy to remember (though don't use that particular password, it's too easy to guess). Two dictionary words and a few numbers to equal 12 or more characters is still damn hard to brute force.

Still, you're all taking this far too dramatically. If you can't remember a 12 character long password which you yourself made up, something is wrong with your memory. It's been set to 12 characters for months now and not a single complaint until now.

Anyway, perhaps my previous posts were a bit harsh, but the point had to be made.

Wow jesus. I'm sorry for voicing my opinion.

dude, It's for the protection of all. I'm sure you would not like to see tonynoname, or Kenneth or someone else get easily hacked and spam the forum/read your pms now would you?

When dealing with board issues you must consider everyone. Not just yourself.

Might want to see my signature btw