Does anyone know of a list of the requirements for creating passwords
for various sites like Yahoo, Facebook, etc., etc.?

I mean as far their length, characters allowed or disallowed, etc.

This info simply isn't on most sites.

On Mon, 2 May 2022 at 11:32:01, harry@invalid.com wrote (my responses
usually FOLLOW):
>Does anyone know of a list of the requirements for creating passwords
>for various sites like Yahoo, Facebook, etc., etc.?
>
>I mean as far their length, characters allowed or disallowed, etc.
>
>This info simply isn't on most sites.

Most sites I've been to that need you to create a password (I don't use
the above two) usually _do_ tell you the requirements - though in many
cases only after you've tried one that doesn't meet them.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"If you have ten thousand regulations you destroy all respect for the
law." - Winston Churchill.

On 5/2/2022 12:32 PM, harry@invalid.com wrote:
> Does anyone know of a list of the requirements for creating passwords
> for various sites like Yahoo, Facebook, etc., etc.?
>
> I mean as far their length, characters allowed or disallowed, etc.
>
> This info simply isn't on most sites.
>

Use a password generator. Then change a couple characters
in the generated password, for good measure.

https://blog.1password.com/how-long-should-my-passwords-be/

One of the unwritten rules of White Hats, is not
"documenting all the weaknesses of your defenses".

That's why there is no neat list of rules like that.
That would be a violation of the White Hat code.

Paul

harry@invalid.com wrote:

> Does anyone know of a list of the requirements for creating passwords
> for various sites like Yahoo, Facebook, etc., etc.?
>
> I mean as far their length, characters allowed or disallowed, etc.
>
> This info simply isn't on most sites.

Different sites employ different password rules, and the rules can
change even at the same site. You find out their requirements when you
don't meet them. What they use now can change later; for example, they
might now require 10 characters that are alphanumeric, but later require
14 characters along with one, or more, non-alphanumeric characters, like
period, underscore, etc, but not the space character. You won't know
what rules they want at the time until you have to create a new password
when creating an account there, or when they expire your old password
and require you to change it. They could even cycle through different
criteria on password generation (different rules are applied on
different instances of generation) as a moving target against brute
force hacking.

On Mon, 2 May 2022 21:12:05 +0100, "J. P. Gilliver (John)"
<G6JPG@255soft.uk> wrote:

>On Mon, 2 May 2022 at 11:32:01, harry@invalid.com wrote (my responses
>usually FOLLOW):
>>Does anyone know of a list of the requirements for creating passwords
>>for various sites like Yahoo, Facebook, etc., etc.?
>>
>>I mean as far their length, characters allowed or disallowed, etc.
>>
>>This info simply isn't on most sites.
>
>Most sites I've been to that need you to create a password (I don't use
>the above two) usually _do_ tell you the requirements

Yes, but unfortunately the requirements vary from site to site. There
should be a standard that everyone adheres to.

>- though in many
>cases only after you've tried one that doesn't meet them.

Unfortunately yes.

On Mon, 2 May 2022 21:12:05 +0100, "J. P. Gilliver (John)"
<G6JPG@255soft.uk> wrote:

>On Mon, 2 May 2022 at 11:32:01, harry@invalid.com wrote (my responses
>usually FOLLOW):
>>Does anyone know of a list of the requirements for creating passwords
>>for various sites like Yahoo, Facebook, etc., etc.?
>>
>>I mean as far their length, characters allowed or disallowed, etc.
>>
>>This info simply isn't on most sites.
>
>Most sites I've been to that need you to create a password (I don't use
>the above two) usually _do_ tell you the requirements - though in many
>cases only after you've tried one that doesn't meet them.

Very, very few tell you the full set of requirements, even after
entering one not allowed.

It's ridiculous not having the neccessy info before having an intended
password rejected.

Ken Blake wrote:

> "J. P. Gilliver (John)" wrote:
>
>> harry@invalid.com wrote:
>>
>>> Does anyone know of a list of the requirements for creating
>>> passwords for various sites like Yahoo, Facebook, etc., etc.?
>>>
>>> I mean as far their length, characters allowed or disallowed, etc.
>>>
>>> This info simply isn't on most sites.
>>
>> Most sites I've been to that need you to create a password (I don't
>> use the above two) usually _do_ tell you the requirements
>
> Yes, but unfortunately the requirements vary from site to site. There
> should be a standard that everyone adheres to.

Then you migrate away from using passwords except for use during an
out-of-band method to generate secret key, like with OAUTH tokens or
SESPAKE (https://www.rfc-editor.org/rfc/rfc8133.html). The problem with
keys that are far stronger than any user-generated passwords is that
they are host specific. That is, you create the key once per host, but
have to generate another one on another host. The server handles key
management to know which hosts with different keys have access to common
data. Well, you know the response you'll see from the Google haters:
ooh, they know my keys, and must somehow be abusing me. well, there is
the privacy issue since they, or anyone else managing the security keys,
know which host(s) you are using to access the common data, and there
are uber-sensitive users that don't want anyone to track anything about
them (and yet they have credit cards instead of using cash for every
transaction which has become nearly impossible or highly nuisancesome).

Hmm, let's see: I can keep control over my strong passwords, or I can
pass control, management, and tracking to someone else. I'd choose the
former, but how many sites let you specify 4096 characters in length
using every ASCII legitimate character, even space and NUL (not sure how
an HTML input field would let you enter the NUL character), and how
would you remember them? After all, you should NOT be reusing the same
password at multiple sites. Every site should be assigned a unique
password; i.e., a password is usable at only ONE site. Even if there
were some password standard, you'd still have to remember every
site-unique password, and the longer and more convulted are the rules
then the harder it would be to remember all those unique site-specific
passwords. If you use one very strong password at every site where you
login, a hacker that gets into one account can then try all the common
sites to see if you have accounts over there, too. Same password
everywhere means "hacked once, hacked everywhere." You're going to save
them somewhere? Then that becomes the weak link to securing your
passwords.

I don't much care for security key management, and I don't want to lug
around a USB security drive for authentication (how to login if I lose
the thumb drive?), so I still prefer passwords, and unique ones to each
site. I came up with an algorithm that lets me generate strong
passwords at every site where I need to login, and allows some variation
to accomodate sites with different rules, but eventually I hit a site
where my algorithm doesn't work, so I have to modify it to accommodate
old and new requirements. Still, the user is the weak link. Anytime
the user is involved means security suffers. Ease of use and security
are the antithesis of each other.

Hmm, some folks will mention biometrics. Well, if you don't care about
someone pulling out your eyeball, chopping off a finger, or knocking you
out to hoist your eyeball or finger to a reader then that's probably
safe enough. However, fingerprints for example, really aren't that
secure. Hell, they'll use 6-point fingerprints as evidence to charge
you, and perhaps 12-point in court, but obviously a sampling of your
fingerprint is not your entire fingerprint. What's the resolution of
your fingerprint reader? How many points will the software or server
accept? Whatever the limits, they aren't reading your entire
fingerprint, or that portion that the reader can see that you press
against it. Perhaps no two fingerprints are the same (not sure anyone
has proven it, or just statistics used to make the claim), but when
reading only a fixed set of data points then how could that claim be
assured? There have been estimates that there can be 2.7e+275, but that
number of variations actually supported by the genetically possible
variations? Despite how many fingerprints can possible be unique,
obviously no physical finger reader, software, or storage can use that
number of data points. Fingerprint readers have a fixed data point
volume, and are NOT non-zero for error rate. However, how many users of
computers are there that don't have any fingers? Double arm amputees?
And the data point count for fingerprint readers is definitely larger
than the number of characters users will ever manage with passwords.
Will every computer (desktop, mobile, someone else's device) have a
fingerprint reader? They're hardly universal, and vary wildly in data
count and accuracy. Will you always be able to wash your hands before
pressing one, or more, fingers against a reader?

You could combine a retina reader (which check with varying light that
your iris changes diameter to ensure you're alive), fingerprint reader,
voice reader, blood test for typing and [partial] DNA matching, a breath
exhale and inhale capacity test or a blood pressure test to ensure
you're alive, a dental x-ray match, MRI, and other biometric data and
finally with an extremely long and complicated password (that might
match on some future standard), but who wants to spend the money on all
those testers along with taking days to login?

Nowadays police and courts embrace DNA tests as the ultimate
identification method. They once felt the same way about fingerprints.
Neither uses your entire DNA string or all of your fingerprint. They
use sampling, and the sample sizes really don't guarantee absolute
uniqueness. Sampling precludes a guarantee of "no two fingerprints are
alike", and the same for DNA. If you had a heart or kidney transplant,
technology would say you aren't you anymore. I'm not sure there is any
technology that can absolutely identify you are you regardless of age,
damage, or mutation over time.

I'm not sure there is any technology that can absolutely identify you
are you from your state when born to when you die. Wonder what we'll
use if we get to cloning humans. Passwords and keys only prove whomever
submitted them had them, not that it was you that submitted them.

On Mon, 2 May 2022 16:19:26 -0400, Paul <nospam@needed.invalid> wrote:

>On 5/2/2022 12:32 PM, harry@invalid.com wrote:
>> Does anyone know of a list of the requirements for creating passwords
>> for various sites like Yahoo, Facebook, etc., etc.?
>>
>> I mean as far their length, characters allowed or disallowed, etc.
>>
>> This info simply isn't on most sites.
>>
>
>Use a password generator. Then change a couple characters
>in the generated password, for good measure.

I always do that, or misspell words in passphrases.

>
>https://blog.1password.com/how-long-should-my-passwords-be/
>
>One of the unwritten rules of White Hats, is not
>"documenting all the weaknesses of your defenses".

I'm not even going into that nonsense. It doesn't help the hacker if
I have a complete knowledge of length, or if upper & lower case is
allowed, plus which characters are allowed, if any. This info sets me
up for creating the strongest possible password.

Amazon here is almost perfect in their password info on this page.

https://pay.amazon.com/help/201754750

Their only goof is not giving out the max length figure.

It does the hacker no good to know that max length could be as much as
64 or 32 characters. Choosing a good generator for such a password
would pretty much put the kibosh on hacking your account as far as
password weakness goes.

>That's why there is no neat list of rules like that.
>That would be a violation of the White Hat code.
>
> Paul

As i said, that's nonsense.

On Mon, 2 May 2022 17:51:35 -0500, VanguardLH <V@nguard.LH> wrote:

>harry@invalid.com wrote:
>
>> Does anyone know of a list of the requirements for creating passwords
>> for various sites like Yahoo, Facebook, etc., etc.?
>>
>> I mean as far their length, characters allowed or disallowed, etc.
>>
>> This info simply isn't on most sites.
>
>Different sites employ different password rules, and the rules can
>change even at the same site. You find out their requirements when you
>don't meet them. What they use now can change later; for example, they
>might now require 10 characters that are alphanumeric, but later require
>14 characters along with one, or more, non-alphanumeric characters, like
>period, underscore, etc, but not the space character. You won't know
>what rules they want at the time until you have to create a new password
>when creating an account there, or when they expire your old password
>and require you to change it. They could even cycle through different
>criteria on password generation (different rules are applied on
>different instances of generation) as a moving target against brute
>force hacking.

That doesn't answer my question as to CURRENT requirements.

On Mon, 02 May 2022 17:15:30 -0700, Ken Blake <Ken@invalid.news.com>
wrote:

>On Mon, 2 May 2022 21:12:05 +0100, "J. P. Gilliver (John)"
><G6JPG@255soft.uk> wrote:
>
>>On Mon, 2 May 2022 at 11:32:01, harry@invalid.com wrote (my responses
>>usually FOLLOW):
>>>Does anyone know of a list of the requirements for creating passwords
>>>for various sites like Yahoo, Facebook, etc., etc.?
>>>
>>>I mean as far their length, characters allowed or disallowed, etc.
>>>
>>>This info simply isn't on most sites.
>>
>>Most sites I've been to that need you to create a password (I don't use
>>the above two) usually _do_ tell you the requirements
>
>Yes, but unfortunately the requirements vary from site to site. There
>should be a standard that everyone adheres to.

That is my point. Every site ought to give out the rules pertinent to
that site.

>
>>- though in many
>>cases only after you've tried one that doesn't meet them.
>
>
>Unfortunately yes.

On 5/2/2022 11:01 PM, harry@invalid.com wrote:
> On Mon, 2 May 2022 16:19:26 -0400, Paul <nospam@needed.invalid> wrote:
>
>> On 5/2/2022 12:32 PM, harry@invalid.com wrote:
>>> Does anyone know of a list of the requirements for creating passwords
>>> for various sites like Yahoo, Facebook, etc., etc.?
>>>
>>> I mean as far their length, characters allowed or disallowed, etc.
>>>
>>> This info simply isn't on most sites.
>>>
>>
>> Use a password generator. Then change a couple characters
>> in the generated password, for good measure.
>
> I always do that, or misspell words in passphrases.
>
>>
>> https://blog.1password.com/how-long-should-my-passwords-be/
>>
>> One of the unwritten rules of White Hats, is not
>> "documenting all the weaknesses of your defenses".
>
> I'm not even going into that nonsense. It doesn't help the hacker if
> I have a complete knowledge of length, or if upper & lower case is
> allowed, plus which characters are allowed, if any. This info sets me
> up for creating the strongest possible password.
>
> Amazon here is almost perfect in their password info on this page.
>
> https://pay.amazon.com/help/201754750
>
> Their only goof is not giving out the max length figure.

They make an argument here, for the existence of a maximum
password length, based on the use of hashes to store the password.
The argument seems a wee bit circular.

https://www.malwaretech.com/2014/05/the-reason-for-maximum-password-lengths.html

It's claimed Ebay has a 20 character limit, and this might be
related to using 128 bit MD5 hashes for storage, and "not wanting
to create hash collisions". So the character length is cut off,
to avoid the MD5 storage of such, needing collision handling.

You can use anything you want for hashing, and that's not the
only method.

The reason people use "well known" methods, is in the hope
that the method used will not have "surprises in store".

What we might conclude from that, is the possibility the
max value is "quantized" a bit. Like if 20 characters is
the Ebay limit, another company could have a 40 character
limit. And nothing stops the 40 character company from
arbitrarily setting the limit to 33 characters, just
to annoy analysts.

At least that article hints, that the design max length
isn't a random number pulled from a hat. The justification
for a choice, might be based on back end storage.

Paul

On 03/05/2022 03:55, VanguardLH wrote:
>
> Nowadays police and courts embrace DNA tests as the ultimate
> identification method.

Perhaps they did at one time, until this:

The Case of Lydia Fairchild and Her Chimerism (2002)
https://embryo.asu.edu/pages/case-lydia-fairchild-and-her-chimerism-2002

"By: Alexis Darby
Published: 2021-06-01
Keywords: Lydia Fairchild, DNA evidence, Human chimeras

In 2002, after applying for government assistance in the state of
Washington, Lydia Fairchild was told that her two children were not a
genetic match with her and that therefore, biologically, she could not
be their mother. Researchers later determined that the genetic mismatch
was due to chimerism, a condition in which two genetically distinct cell
lines are present in one body. The state accused Fairchild of fraud and
filed a lawsuit against her. Following evidence from another case of
chimerism documented in The New England Journal of Medicine in a woman
named Karen Keegan, Fairchild was able to secure legal counsel and
establish evidence of her biological maternity. A cervical swab
eventually revealed Fairchild’s second distinct cell line, showing that
she had not genetically matched her children because she was a chimera.
Fairchild’s case was one of the first public accounts of chimerism and
has been used as an example in subsequent discussions about the validity
and reliability of DNA evidence in legal proceedings within the United
States."

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

On Mon, 2 May 2022 at 21:55:08, VanguardLH <V@nguard.LH> wrote (my
responses usually FOLLOW):
[]
>them (and yet they have credit cards instead of using cash for every
>transaction which has become nearly impossible or highly nuisancesome).

I like that word!
>
>Hmm, let's see: I can keep control over my strong passwords, or I can
>pass control, management, and tracking to someone else. I'd choose the
>former, but how many sites let you specify 4096 characters in length
>using every ASCII legitimate character, even space and NUL (not sure how
>an HTML input field would let you enter the NUL character), and how

I haven't tried using one in a password, but I've found that I can
usually enter a tab character in HTML fields by cut-and-pasting it from
(e. g.) a text file. (Dunno how I'd do that for a nul character,
though.)
[Mayayana-length rest deleted. (All good stuff!)]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Veni, Vidi, Vomit (I came, I saw, I was ill) - mik@saslimited.demon.co.uk, 1998

On Mon, 2 May 2022 at 21:36:42, harry@invalid.com wrote (my responses
usually FOLLOW):
>On Mon, 2 May 2022 21:12:05 +0100, "J. P. Gilliver (John)"
><G6JPG@255soft.uk> wrote:
>
>>On Mon, 2 May 2022 at 11:32:01, harry@invalid.com wrote (my responses
>>usually FOLLOW):
[]
>>>This info simply isn't on most sites.
>>
>>Most sites I've been to that need you to create a password (I don't use
>>the above two) usually _do_ tell you the requirements - though in many
>>cases only after you've tried one that doesn't meet them.
>
>Very, very few tell you the full set of requirements, even after
>entering one not allowed.

Yes, I've had one - not often - where repeated efforts to enter
something in line with what their "reject" message specified, failed. (I
did eventually guess what was required - can't remember, I think it
might have been _both_ upper and lower case.)

This sort of repeated refusal is a security risk (to the user, not the
site): if someone has hacked into the conversation, seeing the user's
repeated attempts will give the hacker some insight into the user's
algorithm for generating passwords. (Probably OK if user is using some
generator, but many users just use permutations on a common theme.)
>
>It's ridiculous not having the neccessy info before having an intended
>password rejected.
>
>
>
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Veni, Vidi, Vomit (I came, I saw, I was ill) - mik@saslimited.demon.co.uk, 1998

On Tue, 3 May 2022 at 01:33:10, Paul <nospam@needed.invalid> wrote (my
responses usually FOLLOW):
[]
>What we might conclude from that, is the possibility the
>max value is "quantized" a bit. Like if 20 characters is
>the Ebay limit, another company could have a 40 character
>limit. And nothing stops the 40 character company from
>arbitrarily setting the limit to 33 characters, just
>to annoy analysts.
[]
Old joke:
Wife asks husband to help with website. It gets to the point:

site: Please enter a password.
Husband (intending to shock wife): PENIS.
Site: Password too short.
Wife collapses in giggles.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

I hate petitions, they're the modern-day equivalent of villagers with
pitchforks and flaming torches. - Alison Graham RT 2016/2/20-26

"J. P. Gilliver (John)" <G6JPG@255soft.uk> wrote

| >Does anyone know of a list of the requirements for creating passwords
| >for various sites like Yahoo, Facebook, etc., etc.?
| >
| | Most sites I've been to that need you to create a password (I don't use
| the above two) usually _do_ tell you the requirements - though in many
| cases only after you've tried one that doesn't meet them.

Yes. It's like system requirements. There's no excuse
for not teling people clearly.

Recently I was trying to set up a camera doorbell for
a friend. It kept rejecting the password by marking the
secone entry with a red, squiggly underline, implying the
two entries didn't match. I finally figuredout that the
password was *too long*! That never occurred to me,
since longer is usually better. I blame that on half-assed
programmers who can't be bothered to code properly.

On the other hand, starting a list of such problems seems
off the deep end to me. The problem will only happen
once with each product. In the time it took Harry to not bother
to type his question properly, he could have worked out a
password.

Harry,

> Very, very few tell you the full set of requirements, even
> after entering one not allowed.

Indeed. My previous ISP was one of them. They did have a page with
requirements, but as it turned out it was incomplete.

The end result of such a "we won't tell you" is actually counter productive
: After a few times trying and being rejected the user will just create a
password without any "special stuff" in it - so it will pass the rejection
filter.

IOW, instead of the "we won't tell you" making it harder for an attacker
they actually make it easier. :-(

Regards,
Rudy Wieser

On 5/3/2022 8:49 AM, R.Wieser wrote:
> Harry,
>
>> Very, very few tell you the full set of requirements, even
>> after entering one not allowed.
>
> Indeed. My previous ISP was one of them. They did have a page with
> requirements, but as it turned out it was incomplete.
>
> The end result of such a "we won't tell you" is actually counter productive
> : After a few times trying and being rejected the user will just create a
> password without any "special stuff" in it - so it will pass the rejection
> filter.
>
> IOW, instead of the "we won't tell you" making it harder for an attacker
> they actually make it easier. :-(
>
> Regards,
> Rudy Wieser

If you tell me precisely what your password rules are,
I will tune my Kali run, to suit.

It's because of that, most of the rules could be inherited
from one site to another. Aa1$ . Use the wide character set.
Don't use dictionary words. Then, some length defined,
min - max, where the max might be defined by how the
database is designed.

And there have been cases in the past, where the user
was allowed to define an extra long password, but the
site was just throwing away the excess. They didn't even
bother to hash it in.

The hassle of recovering accounts that get locked out,
is why more experiments like that aren't done.

I'd be using 12345678, but the practice of comparing your
password to the existing 2 billion entry table of hacked
passwords, means I can't use that any more.

I think after a while, you'll come up with a few conclusions
about what you should do.

Why can't you get it right on the very first try ???

Paul

On Tue, 3 May 2022 01:33:10 -0400, Paul <nospam@needed.invalid> wrote:

>On 5/2/2022 11:01 PM, harry@invalid.com wrote:
>> On Mon, 2 May 2022 16:19:26 -0400, Paul <nospam@needed.invalid> wrote:
>>
>>> On 5/2/2022 12:32 PM, harry@invalid.com wrote:
>>>> Does anyone know of a list of the requirements for creating passwords
>>>> for various sites like Yahoo, Facebook, etc., etc.?
>>>>
>>>> I mean as far their length, characters allowed or disallowed, etc.
>>>>
>>>> This info simply isn't on most sites.
>>>>
>>>
>>> Use a password generator. Then change a couple characters
>>> in the generated password, for good measure.
>>
>> I always do that, or misspell words in passphrases.
>>
>>>
>>> https://blog.1password.com/how-long-should-my-passwords-be/
>>>
>>> One of the unwritten rules of White Hats, is not
>>> "documenting all the weaknesses of your defenses".
>>
>> I'm not even going into that nonsense. It doesn't help the hacker if
>> I have a complete knowledge of length, or if upper & lower case is
>> allowed, plus which characters are allowed, if any. This info sets me
>> up for creating the strongest possible password.
>>
>> Amazon here is almost perfect in their password info on this page.
>>
>> https://pay.amazon.com/help/201754750
>>
>> Their only goof is not giving out the max length figure.
>
>They make an argument here, for the existence of a maximum
>password length, based on the use of hashes to store the password.
>The argument seems a wee bit circular.
>
>https://www.malwaretech.com/2014/05/the-reason-for-maximum-password-lengths.html
>
>It's claimed Ebay has a 20 character limit, and this might be
>related to using 128 bit MD5 hashes for storage, and "not wanting
>to create hash collisions". So the character length is cut off,
>to avoid the MD5 storage of such, needing collision handling.
>
>You can use anything you want for hashing, and that's not the
>only method.
>
>The reason people use "well known" methods, is in the hope
>that the method used will not have "surprises in store".
>
>What we might conclude from that, is the possibility the
>max value is "quantized" a bit. Like if 20 characters is
>the Ebay limit, another company could have a 40 character
>limit. And nothing stops the 40 character company from
>arbitrarily setting the limit to 33 characters, just
>to annoy analysts.
>
>At least that article hints, that the design max length
>isn't a random number pulled from a hat. The justification
>for a choice, might be based on back end storage.
>
> Paul

My password for eBay is 32 characters. I used only upper/lower case
plus numbers. I didn't want to go weird finding which
punctuation/special characters would also be accepted.

Usually, I try to use phrases, but lots of luck with that with almost
all sites. Freebie Mail.com does allows phrases.

On Tue, 3 May 2022 14:49:38 +0200, "R.Wieser" <address@not.available>
wrote:

>Harry,
>
>> Very, very few tell you the full set of requirements, even
>> after entering one not allowed.
>
>Indeed. My previous ISP was one of them. They did have a page with
>requirements, but as it turned out it was incomplete.
>
>The end result of such a "we won't tell you" is actually counter productive
>: After a few times trying and being rejected the user will just create a
>password without any "special stuff" in it - so it will pass the rejection
>filter.
>
>IOW, instead of the "we won't tell you" making it harder for an attacker
>they actually make it easier. :-(
>
>Regards,
>Rudy Wieser
>

No, it doesn't make it harder for the hacker. It makes it easier
because when the max length is not revealed, the average person isn't
going to experiment with different lengths. In most cases the average
user will go with the 7 or 8 figures which most sites say is the
minimum accepted. And, as far as telling a hacker that the max length
is 32 or 64 characters is not going to help him unless your password
is the name of your dog or cat.

Running a test for the bits possible in a 32 character password on
this page says it can be as strong as 162 bits.
http://rumkin.com/tools/password/passchk.php

How about this possible figure for cracking a 32 character password?
87 thousand trillion trillion trillion years
https://www.passwordmonster.com/

So, I'll gladly tell any hacker/script kiddie that my password is 32
characters.

These jerk**f IT techs at these companies are just lazy - or ignorant.

Oh, for my 32 character password, I used -
https://fileforum.com/detail/Password-Generator-XP/1012885344/1

Harry,

> No, it doesn't make it harder for the hacker.

Thats what I said.

Regards,
Rudy Wieser

On Fri, 6 May 2022 09:19:40 +0200, "R.Wieser" <address@not.available>
wrote:

>Harry,
>
>> No, it doesn't make it harder for the hacker.
>
>Thats what I said.
>
>Regards,
>Rudy Wieser
>

I'll take your word for it. All this discoursing gibberish has worn
me out

On Fri, 06 May 2022 14:05:24 -0500, harry@invalid.com wrote:

>On Fri, 6 May 2022 09:19:40 +0200, "R.Wieser" <address@not.available>
>wrote:
>
>>Harry,
>>
>>> No, it doesn't make it harder for the hacker.
>>
>>Thats what I said.
>>
>>Regards,
>>Rudy Wieser
>>
>
>I'll take your word for it. All this discoursing gibberish has worn
>me out

One last item - what I found rather surprising is that Yahoo allows
spaces, upper/lower case, and some special characters. My wife's
Yahoo passphrase is 50 + characters. The only reason I know this is
because I had to change my wife's Simple as in SIMPLE password a while
back.

It is absolutely beyond me why anyone uses that outfit. It's nothing
but one ad after another.

'scuse me...it's head banging time again...