Password Strength

[thebridelucretia]

Can you type alt keys for a symbol when making a new password? Im afraid to try for making a new PW and it making something Idk what it is to log in - I use a 12+ letters and kb Shft keys currently but want to know if alt shortcuts will take - or what about using a foreign language kb character?  Thank you very much if anyone can answer

[Wulfie Reanimator]

No.

[Kathrine Jansma]

The best thing you can add to secure things is adding the 2-Factor-Authentication to your account. That makes it less important to have a super strong password.

 

[elleevelyn]

with passwords make them as  a passphrase. A sentence, saying or lyric from a fav book, poem, or song that you can easily recall as it means something to you other than just being a password. If you worried about somebody working you out then use a saying or words meaningfully imparted to you by a person, parent, teacher, mentor who means something to you

basically the longer a password is, the more secure it is from attack

this said, also do as Kathrine said. Use 2FA as well whereever it is obtainable

[Nalates Urriah]

Password phrases are great in several ways. Being easy to remember is an excellent reason for using them.

I can't find a maximum length for a password in SL. With the coming of an SL Mobile app long passwords are likely to be a bit of a problem, if you go that direction.

While 2FA is a great addition to security it adds a lot of moving parts. If we manage to start a new world war or even just piss off one of the big world players, that 2FA complication is likely to be a BIG problem. If you were an AT&T customer and using 2FA for SL then you would likely have been locked out of SL during AT&T's outage (ref). There are lots of theories as to what actually happened with AT&T. Many of us are highly skeptical of anything big corporations and governments claim, especially in an election year. Think: Leaving the World Behind.

With all the accounts I have and all the accounts I manage on clients behalf the 'remember' and/or 'write it down' plans weren't working. I use a commercial password manager that syncs across all my devices. It is so nice and quick. By default it creates 16 character randomized passwords using upper (26) and lower case (26) letters, numbers (10), and punctuation & Symbols (30)... with gives us... 26+26+10+30=92 for  92¹⁶ or 26,339,361,174,458,854,765,907,679,379,456 or 26.3 nonillion possible passwords.  if a supercomputer could check a billion (1,000,000,000) passwords per second, it would take about 8.2 x 10²² years to check 26 nonillion permutations. The estimated time for a quantum-computer to crack such a password is something like 5.1 quadrillion years… or about 364,000 times the age of the universe. A big improvement, but no prize.

With the rapidly upcoming AI and all the data Google collects, it will likely be able to predict (guess) any password you make up.

HOWEVER… a good scam or phishing attack can also come up with your password in less than an hour.

So... while long passwords, and even randomized passwords are strong... real security is a matter of how smart you are and your level of gullibility. 🤔

Edited February 24 by Nalates Urriah
dumb spelling mistake

[Rowan Amore]

4 hours ago, Nalates Urriah said:

I can't find a maximum length for a password in SL.

The maximum length is 16.

[Gabriele Graves]

9 hours ago, Nalates Urriah said:

While 2FA is a great addition to security it adds a lot of moving parts. If we manage to start a new world war or even just piss off one of the big world players, that 2FA complication is likely to be a BIG problem. If you were an AT&T customer and using 2FA for SL then you would likely have been locked out of SL during AT&T's outage (ref). There are lots of theories as to what actually happened with AT&T. Many of us are highly skeptical of anything big corporations and governments claim, especially in an election year. Think: Leaving the World Behind.

This is only true of 2FA systems that use SMS texts to send the codes.

Second Life is not one of those systems.

It uses a more secure time-based code system called TOTP (Ref: https://www.hypr.com/security-encyclopedia/time-based-time-password-totp-otp) which is more resistant to man-in-the-middle attacks than SMS codes and doesn't require any network to work.

So it would still work during an AT&T outage.
 

Edited February 25 by Gabriele Graves

[Qie Niangao]

(Just in passing: the SMS network is likely to survive EMP more intact than most communications because it's based on a messaging system from the 1970s. In contrast, anything that relies on GPS will be toast. That's not to say anybody should use SMS for authentication—or much of anything else, for that matter.)

[Kathrine Jansma]

49 minutes ago, Qie Niangao said:

the SMS network is likely to survive EMP more intact than most communications

That might be true, but the mobile phone base stations would be down pretty soon anyway, so it wouldn't help.

TOTP as 2FA has a few upsides and downsides. The upside is that is easy to implement on anything programmable with a working clock. Like people implemented it on Commodore C64... (Old Vintage Computing Research: Meet your new two-factor authenticator: your Commodore 64 (oldvcr.blogspot.com) , Smartwatches, Yubikeys, desktop apps (e.g. Keepass XC) and a ton of other non smartphone class devices. So it is one of the 2FA systems that should work in most circumstances. In a pinch you can print out the secret, store it in a safe location and clone a new authenticator from it later when your device dies.

It obviously does have a weakness, as it can be cloned so easily, but for the threat model of SL it should not really matter. You don't need to defend against Evil Maid attacks..., well, not for your 2FA at least, inworld there might be Evil Maids trying to do nasty things, but thats a different matter.

 

[Gabriele Graves]

After an EMP, I think we'd have bigger problems with our own equipment no longer functioning and/or those remote services no longer functioning.