This blog has a new home! You can now find all new posts at: https://blog.steveendow.com/
Dynamics GP Land will no longer be updated.
Thank you!
By Steve Endow
In a previous post about passwords, which you can read here if you haven’t already:
https://dynamicsgpland.blogspot.com/2016/10/how-do-you-choose-your-passwords-and.html
I discussed my “Passphrase Generator”. It’s been working well for me, though it’s not perfect. I felt like I was taking the right steps by combining my passphrase generator with a dedicated password manager.
Using words no longer than 7 letters, 2 numbers, and 1 symbol, I’ve been creating passphrases such as:
Briony%4Cobwebs4 (16 characters) Hyped/5Umber1 (13 characters) Reecho%6Touzled8 (16 characters) Tisanes#4Tangles6 (17 characters)
These seemed quite secure to me.
However, while listening to Kevin Mitnick’s audiobook, The Art of Invisibility, he suggested using passphrases with a minimum of 25 characters.
25 characters?!? (interrobang)
Could he be serious?
Those of us familiar with Dynamics GP often complain about its 15-character password limit. We’ve seen many customers encounter problems when their IT security policies mandate at least 15 characters, only to discover that their 16+ character passwords won’t work with Dynamics GP.
Clearly, using 25+ character passwords with Dynamics GP is impossible.
Furthermore, I’m almost certain I’ve encountered websites that wouldn’t even allow close to 25 characters.
The only way to know for sure is to test it. I reset my passwords on some websites. These weren’t limitations of the sites themselves, but rather the lengths of the long, randomly generated passwords I successfully saved.
Twitter: 35 characters Stack Overflow: 35 characters GPUG.com: 38 characters Atlassian/Bitbucket: 36 characters
So far, so good! It seems a 25-character minimum password might be doable!
(imagine a record scratch here)
Then, I logged in to my online banking website - a major, well-known bank.
And guess what I saw?
A 20-character limit! Seriously?
Strike one!
Let’s try another bank, a smaller one I use. However, when I attempted to change my password…
…it wouldn’t let me paste the password from my Passphrase Generator!
That’s completely unreasonable!
Troy Hunt dismantles this ridiculous “security” practice of preventing password pasting in his insightful blog post.
He even provides examples from companies like GE Capital and PayPal.
This pretty much eliminates the possibility of consistently using 25+ character passwords.
Could I use them on sites that permit them and allow pasting? Absolutely. And I might just do that.
However, it’s clear that many sites, especially larger ones, have inexcusable password length restrictions and disable pasting, limiting you to their arbitrarily short passwords.
I suppose that answers my question.
That being said, will I switch to 30+ character passwords? I’m not sure.
Occasionally, I need to manually enter passwords on mobile devices, which is a nightmare with so many characters. Typing anything accurately on my phone is challenging enough, let alone a password that long.
I might give it a try though. As I reset passwords moving forward, I’ll experiment with 25+ character passphrases and see how it goes.
Hopefully, my bank will someday allow more than 20 characters.
Steve Endow is a Microsoft MVP in Los Angeles. He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.