My password is 23-25 characters long I've never had someone hack it. It used to be 7 characters long and someone did hack that so I made the switch to strong passwords. I put it in a password generator and it said my password is overkill.

Something I was thinking about when I was logging in:

The Save Password Feature that browsers have, use it if you don't want to type in a long password, then keep your computer secure.

Ever had your passwords taken off your computer because you left it in the "safe" and insecure hands of the browser password manager?

If your computer isn't shared I'd bet that wouldn't happen unless some hacker nastily hacked your PC.

I honestly can't see what the issue is here. I have several regular passwords with different permutations for different sites ranging from 9-18 characters in length. Those are not hard to remember, and they're all different lengths depending on the security I need for the site. If you can't remember a few passwords that you yourself made up, then something is very wrong with you. The only reason I use a browser password manager is so I don't have to type it, not because I can't remember them.

You don't have to use a random password generator to be secure, it's all about the length and case. You could have a password like "MyFavouriteFoodIsPizza123" and it would be perfectly secure 25 character password. See how easy it is? It would be very hard to brute force that password if someone tried because of it's length.

Equally though, that password would turn up in a dictionary attack relatively quickly, since it's just a series of unmodified dictionary words with a couple of numbers on the end.

Being honest I doubt it would. Dictionary attacks are just that, they're not sentence attacks with numbers on the end, and it's length means it can't just be brute forced either.

Doesn't mean they can't be adapted to sentences. Bet you that will be next.

Probably, but even so it's a fairly safe bet they won't for now. There are far too many permeations of those as well.

there's no password that can't be cracked with infinite time, and a supercomputer

IBM Roadrunner anybody?

Anyway, best way to prevent a hacking imho would be to bar off someone for a few hours after three incorrect attempts or something like that, Would delay a hacking by days.

Seen plenty that adapt to multiple words, and can also adapt to common techniques such as replacing letters with numbers, etc. Admittedly, it slows the attack down by as much as 10 times, but that's still a hell of a lot quicker than brute-force.

Jecag, such blocking already happens I believe.

I apologize for bringing this up again, but this annoys me to no end each and every single time I log in.

I have never seen a website that required a password longer than 8 characters - this even includes websites crazy about security such as online banking! Does the staff here really claim that BetaArchive is more important and/or liable to hacking than sites dealing with financial information?

Even more importantly (and ridiculously), it was mentioned that BetaArchive (likely - I haven't tested this myself ) already has a security feature which almost completely prevents brute-force attacks. In other words, the only realistic way to hack an account here is to obtain a copy of the database - and if that happens, BetaArchive has bigger things to worry about than accounts being hacked.

Please change the required password length to no more than 8 characters - as I mentioned above, it's like a standard at security-conscious websites.

I don't think it's that hard to memorise an eight character password. A secure password is always 8 characters or more, numbers, lower and upper case letters and symbols. And I think they meant the FTP, on the brute force discussion.

The current required password length is 12 characters - I would like it to be reduced to no more than 8.

If you can't remember 12 characters then I think you have bigger problems unfortunately. We settled on 12 characters because you can brute force 8 characters very easily. 12, not so easily. It's exponentially harder and takes longer to brute force with more characters. Simple as that.

8 characters might take 24 hours to brute force, 12 might take a month. Do you see the reason why we enforce that now?

I'm just going to summarise my thoughts in one sentence. This applies to both sides.

Be realistic.

As for fact, it's been said that Andy is unwilling to budge. Unfortunately we've all got to live with that. I don't like it, I think it's overkill for this site, but there we go. At the end of the day, don't like it and feel it's just unjustified etc etc.. either live with it, or bye bye. The door's to your left. Remember to close it.

If you have problems remembering long passwords, my suggestion is a SECURE password manager. (e.g. LastPass). Don't do what Andy suggests and use a word and numbers, because that's just then prone to a smart dictionary attack, and completely bypasses the point of a long password.

Locked, since enough was said the first time.