Jump to content

Buggy account registration, terrible password rules

Sivar

By Sivar
in Forum and Site Issues

 Share

Recommended Posts

Sivar

Sivar

Posted
Posted

When registering a DCS account from within DCS, almost anything can be entered into the password field.

When one tries to login, if the password does not follow the security rules, that password is simply not accepted. DCS reports that the password entered is wrong.

DCS needs to follow the same password rules as the website.

It was only out of random frustrated attempts and trying "anything" that led me to try to register on the site even though I had already done so in-game.

 

Speaking of which, the password security rules are really irritating. DCS is a low-volume flight sim. There is no reason to require a capital letter and a number. The risk of account break-in is low (oh no, someone can fly with my account!), and the security increase is marginal at best.

 

For a humorous take on bad password rules, see this XKCD comic:

 

http://xkcd.com/936/

  • 4 weeks later...
Sivar

Sivar

Posted
  • Author
Posted
Terrible password rules.....your argument is nonsense.

A capital and a number is excessive?

 

You failed to notice that the terrible password rules I was talking about are how the sim software and website don't even agree on the rules of the password that apply to both. If you believe that's a good idea, I am glad that you aren't a software developer.

 

I merely stated that the requirement for a number and capital is irritating. It provides no benefit and makes passwords difficult to remember and difficult to type in a phone.

It's much better to simply require longer passwords. A humorous and non-technical explanation can be found here: http://xkcd.com/936/

Yurgon

Yurgon

Posted
Posted
[...]the sim software and website don't even agree on the rules of the password that apply to both[...].

 

Huh, that's weird. I never noticed. Well, I guess few people have. :D

 

I merely stated that the requirement for a number and capital is irritating. It provides no benefit and makes passwords difficult to remember and difficult to type in a phone.

 

Irritating: Yes and no. AFAICT it's more or less the standard nowadays, and neither the best nor the worst.

 

I know about some corporate guidelines that disallow identical characters to follow each other. Obviously the idea is to prevent people from using "aaaaaaaa" as their password. But let's say an attacker knew these password rules, he'd also know that the password entropy is (significantly) reduced simply because of this rule. Plus, this rule doesn't work well with randomly generated passwords (this argument is kind of recursive in regards to the "degraded entropy" argument).

 

What I'm trying to say is: if a password contains at least 8 characters and contains at least one of each of capital letter, lower case letter and digit, a certain minimum entropy is guaranteed. Of course the password could be "123Abcde", which probably resides within the top 1000 of any brute force dictionary. But it's still far easier to type than "difficult phone requirement merely". Especially on a phone. :thumbup:

 

On a side note: I love that XKCD, it's sooo brilliant. I just don't necessarily agree with it. :D

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...