Your default Drupal password check is real bad

On the registration page, when you on the 2nd step to change your password there seems to be adefault password strength check that comes from Drupal(?):
https://budgetlightforum.com/sites/budgetlightforum.com/files/js/js_u7eugNQ3_o_nMVKBo6PC1-PeRg5CXo7AI_vt58UiWdY.js
line 53:

This check is terrible, a password like k3dd8bd5tf is not a good strength password. There needs to be at least 30% UPPER REGISTRY letters and special symbols. At best, it should be between _weak _and medium.

There are plenty of free implementations out there for password check you can adopt. Ideally you’d pair it with HaveIBeenPwnd API but that might be too much for a forum where bunch of nerds talk lightbulbs.

To think the nerd chatting about light bulbs may be the nerd that stole his account…to talk about light bulbs.

Better encrypt the stream.

But think about muh lightbulbs!

Seriously, though, this kind of lighhearted attitude (we just talk about this [insert_harmless_topic_here], no biggie, nobody cares!) is one of the reason general internet security at its lowest. This issue in particular is that it misleads the user, who is by default not really good at security and would assume that the “smart machine behind the screen” knows better and the password swordfish123 he supplied is really good, because, you see, there is a green indicator here that says so!

k3dd8bd5tf is way better than using the word incorrect as a password.

Not really:

I bet someone on here has ‘password’ as their password.

It's fine.

I use that password for all of my accounts, and there have been no problem so far!

This article is absurd. Modern password crackers are rarely brute-force. They are tuned to the input constraints and incorporate psychology and even demographics. This article claims “Password” would be cracked instantly, which is true, while “P@ssw0rD” would take 14 years. If the attacker knows the user speaks English and a certain number of upper, number, and symbols are required, “P@ssw0rD” would be an obvious permutation for a cracking engine to try early, and would likely be cracked quickly.

A randomly chosen 10-character lower-alpha-numeric however, will most likely require brute force. By your source’s estimate, 3 years on average with one CPU. If an attacker had an army of CPUs and was targeting you specifically on a flashlight hobbyist forum, yes, maybe “k3dd8bd5tf” could be considered weak. However it’s far more likely an attacker will cast a wider net and take the weakest passwords first, which are likely simple permutations like “P@ssw0rD” that technically follow stricter password rules but are, in effect, weaker.

All this assumes an attacker has a local copy of the password database, in which case your entire site is probably hacked anyway.

Pffft. I use password123 to be extra secure!

Oh, damn. Does that mean I have to change it now? Okay, nobody look!

What people don’t seem to understand is that someone hitting a particular account a brazillion times trying one password then another, etc., would almost certainly a) be detected, and b) take f’n forever.

It’s this idiocy that your password needs to be soooooooooooo secure to withstand endless dictionary attacks which just gives people headaches and makes them do things like write their work-machine password on a stickynote and plaster it to the top of the monitor.

If you have an encrypted file and can bang on it forever to try to decrypt it, yeah, it makes sense to have a 147-char passphrase that looks like a cat walked across your keyboard. But to log into a web forum? Who’s gonna bother? And how many attempts before it’s noted and the account locked? Or just redirect subsequent attempts to a honeypot that won’t do anything but log the attempts.

JagerLion
That wasnt my point, it was just supplementary for the discussion that arose. My main point is here:

Dont be silly, it is not about someone bruteforcing your password in some unrealistic and exaggerated scenario, it is about the fact that current algorithm used in the registration form that is responsible for the strength metric is very bad and outdated and facilitates bad understanding and bad password security culture.

Yes, it is not end of the word, I get it. But it is also trivial to fix.

Fair enough. I didn’t mean to jump on you but my points were:

1) Mainstream articles on security are often outdated and/or misleading garbage.

2) Stronger requirements don’t always lead to stronger security. Here, “P@ssw0rD” rates stronger than “k3dd8bd5tf” but as I explained, the latter should take much longer to crack in practice.

3) Related to #2, extreme requirements could annoy users or (as Lightbringer points out) encourage other bad practices, post-it notes being just one example.

But I agree with you that security should be made stronger when it’s easy and appropriate to do so.

The current implementation of the password security does not impose any limitations, it is merely informational. I’ve just changed my password to `12345`

Wow, this got more complicated than I imagined.
So should I assume that using “password” followed by the last 4 digits of my SSN is not safe?

I couldn’t remember how to access my router so I used ‘passwordadmin’

Mine is 1, 2, 3, 4, 5. It’s the same on my luggage. :laughing:

I think the OP got his message across and those who needed it either heeded or rejected it. Hopefully they recognize the difference in security needed for their casual hobby blogs vs their banking/financial/political/porno sites. God help me iffn she guesses her sister’s pube tattoo.

Dear Digika,

Not long ago I used some password strenght tests, and overall according to them my passwords weren't secure enough. However, that does not mean my passwords are bad; rather, those password testers are ridiculous. And I'm serious.

First of all, do you really think you can brute force a password? In which videogame? Think of it…

In the first place, many modern or security-concerned sites warn you after a couple failed attempts, and force you to restore password after a third mistake or so. I think G00gl€ does it, if I do recall right.

I just checked BLF; BLF allows you to try “as much as you need”. Does this mean it is unsafe?

In practice, not really. This is because BLF needs time to respond to your login requests; this takes time. Compared to ridiculous password testers, a lot more time. Therefore, the rate of passwords you could try would at most be like 2 - 3 per second. Also, you'd need to design or get a special software bot to brute force the password of some account here. And then, this forum has a moderator, a person in charge who periodically checks forum logs and stuff like that. This means it would only take a limited amount of time for him to notice this odd behaviour (days, a week, etc.), proceed to ban any “inquiring into” bot IP address and inform the target user of this problem.

Whether the above is fully correct or not, our moderator sb56637 knows better. I'll try to draw his attention on the matter.

The strenght of a password namely relies on the energy and consciousness which is behind it, this is the energy and consciousness of its creator.

Its subtle energy makes a password strong; its consciousness makes it safe, knowing when to change if required.

This is the reason my passwords and the passwords of most people around here are never cracked. Not because they're unsafe according to some unrealistic and absurd password tester.

Back to my lair now…

Top quality shitpost, my friend, I can appreciate it:

Dear Digika,

You need a spank, and I am sure you'll receive it.