Support Multi-Word Passwords

[kjtocool]

I think phpbb should move to support multi-word passwords. A simple shift would make it exponentially harder for passwords to be compromised. Even the best passwords ($dfk289@*1%) aren't anywhere near as strong as a multi-word password (blue funny dog barks). Even better would be a password + multi-word phrase option which hashes the two together.

I'd like to see phpbb support both implementations, allowing administrators to make the end decision. Thoughts?

[canonknipser]

I'd like to see phpbb support both implementations

it is no separate implementation, Its just another password (better name would be passphrase) rule including a whitespace as allowed character ...

[kjtocool]

From a UI perspective, my ideal scenario would be:

1) You use the regular password, it looks as it does currently.

2) You use the multi-word password, there are four input fields for each word.

3) You use the combination option, there is an input field labeled "Password", and then four input fields labeled "Phrase" or something similar.


I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.

[canonknipser]

I think, from a user perspective, it should be clear where each word goes, what sections is which, etc.

From a users perspective (mine, not yours ), it makes it more complicated - all UIs i know tell me to enter my username (one entry-field) and a self-choosen passphrase (another entry-field) and maybe a captcha (a third entry-field).
Having more than one field for the passphrase would it make much more complicate. Why is phpBB asking me for more than one word? How many letters have i to put in each field? How many words do i have to enter?

From programmers perspective, its much more complicated:
allowing a passphrase with whitespace, i have only to check:
are all types of letters entered?
did the user enter a passphrase long enough?

Having more than one entry field, i have to check this for each field, and afterwards i have to combine it for calculating the passphrase hash.

Whats the difference between "blue funny dog barks" and "blue" "funny" "dog" "barks"?

[kjtocool]

I suppose I feel it is more intuitive.

When the user registers, they'll be prompted for a "pass phrase." How do they know to enter a space? How do you validate they didn't run a word together they meant to keep separate? To me, the easiest and most intuitive solution is to have 4 input boxes under one "Passphrase" heading.

When the user returns to login, they will see four input boxes, which should jog their memory that "oh yeah, this site uses that phrase." And certainly, if you choose to use the combination of a Password + Passphrase, it seems more intuitive to me if the options are distinct in nature: Username, Password, Passphrase. Segmenting it into understandable buckets aids in the recollection, simplifying a more complicated password entry system.

I do agree, it is more challenging from a design perspective.

[callumacrae]

If a user wants a multi-word password, let them. If they don't, let them.

It's fine how it is perfectly.

[Arty]

Its already hard enough to deal with websites that require some sort of mix of letters or whatever, so I can't enter my favorite password there, having to remember 2 passwords would be horrible. Such passwords increase chance of user having to write down that password somewhere rather than typing it from memory, increasing chances of it being stolen.

[kjtocool]

Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".

[canonknipser]

Well, the basic idea behind pass phrases are that they're just as hard to crack via brute force, but much easier to remember for people. Remembering "$php33foru*mp@a$$" is much harder than "phpbb forum awesome blossom".

But, as long as the passphrase role allows it, you can enter it into one field - why do you want to use four (Or seven? Or ten?) fields for that?

There are a lot of tips outside for using easy-to-remember-but-hard-to-crack-passphrases, like using a sentence as "My dog has four legs and one head" and replacing number words by their numericals, just use the first letters of each word, and reverse the phrase giving: "h1al4hdM"

[kjtocool]

Because unique fields forces the user to enter a phrase, one field simply allows it. With one field, you can't force an entire forum to follow.