Account secret needs to be stronger

Trying to sign in for the first time. Is a 100 character alphanumeric string with symbols really not strong enough?

It only needs to be 20 characters or so. Have you set your IP address?

This makes me think about how, whenever people are being shown/handheld this project by its proponents, they need to be told how important it is to have one really strong ‘secret’ that nobody but you is going to guess—and how it may seem excessive, but that they need to be alerted to how this technology will be the only thing that matters for data/communications security in the world, and that they are too used to how the world currently works (and how they probably have many different passwords which total way more characters than this one ‘secret’, so it’s actually helping them to think of one really strong one), and how they won’t have to remember anything else, that the network takes care of the rest.

Yes, I set the IP. I started with 12, then 32, then 48, then 64, and finally 100, only to be told each time that it wasn’t strong enough. I used the windows 64 non mock browser installer, and it led me through the steps. I pasted in my code, and was asked to create the account secret. This is where it fails. Any log files I can look at for more informaiton?

2 Likes

Seems odd, we use a standard checker there. It will fail if the string for instance is repeated etc. So you could see 20 chars being secure, but adding chars actually making it less secure and so on if it repeats or becomes guessable, close to a know text etc.

1 Like

To add a bit more, SAFE authenticator uses zxcvbn for checking password strengths.

You can read about it and find an informative / debugging tool here:

https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

4 Likes

OK, I tried the zxcvbn demo and it rates my password 4/4 with all categories of guessing in centuries. I’m generating it with lastpass. Not sure what to do next.

I suggest submitting this as an issue and trying a different approach to your password. If you mix case, numbers etc you shouldn’t need more than a dozen characters.

It does seem strange. I haven’t come across this one before. I’m using Win 10 and I just set up a test account with secret and password both set to “heresmystrongpw”. I wonder if you’re not connected to the network? Blocked by a firewall perhaps.

Can you try logging in using the above credentials, see if it works?

1 Like

I noticed that the check seems glitchy when you copy-paste the password string, but works fine when you type character by character.

1 Like

OK, I was able to proceed! It is a paste issue. Typing it did the trick. “heresmystrongpw” worked first. This will make the use of long passwords much more difficult. Thank you everyone for your suggestions.

2 Likes

Back with an update. It appears that it wants at least a single actual keystroke in the secret or password fields. So if you paste your long generated password it’s not strong enough, but if you then backspace the last character off, it is strong enough. So currently, clicking in the field and pasting isn’t going to cut it. I’ve actually seen similar behavior in certain online forms, so maybe some common input-processing routine has been used.

4 Likes

Good catch. :slight_smile:. Would you like to raise this as an issue on github, or if not please ask somebody to do so if you’d rather not yourself.

Yes, I will post it on github. Additional note. The copy/paste seems to work just fine when signing in. So it’s just the account signup that appears to be affected.

1 Like

I’m new to github. I signed up and found the maidsafe general topic. Can you suggest the correct subgroup to post this in?

Go here and click ‘New Issue’.

3 Likes

Thanks for the link. Issue opened.

4 Likes

This topic was automatically closed after 60 days. New replies are no longer allowed.