What settings work for almost all sites? (# of chars & charset)

[qwavel]

I think it is important that the PasswordMaker default settings work well for (almost) all sites.  I want to be able to recommend PM to novice users who would just use the default settings.   (Yes I realize that this provides less security.)

I see that (in the online version) the default is 12 characters and the char set is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()_-+={}|[]\:";'<>?,./

Is this really ok for all sites?  In my search for a password that works in most places I found that I needed a password of only 8 chars and that I had to limit my char set to:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

What do others find?

[tanstaafl]

I think it is important that the PasswordMaker default settings work well for (almost) all sites.  I want to be able to recommend PM to novice users who would just use the default settings.   (Yes I realize that this provides less security.)

I'm not sure I agree with your thinking here. I do agree that it should be as easy to use as possible, but I don't agree that a novice user should be able to just use it without even taking a few minutes to learn a bare minimum about how it works and why. The character set is a critical part of PWM, and the user should be forced to at least learn how it is used and why using weird characters makes a password more secure.

Personally, I think that anyone interested enough to give PWM a try is smart - and willing - enough to learn a little about how and why it works.

I see that (in the online version) the default is 12 characters and the char set is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()_-+={}|[]\:";'<>?,./

Is this really ok for all sites?

No, but it is much more secure than just plain alpha-numeric characters.

In my search for a password that works in most places I found that I needed a password of only 8 chars and that I had to limit my char set to:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

What do others find?

Generally, the length is much less of a problem than the special characters, which definitely can be a problem on some sites.

I have found that more than 75% of the time, the default character set works fine, and don't remember the last time I had a problem with the length.

[morguns]

i agree with tanstaafl when he says anyone who chooses to use passwordmaker should make an effort to understand how it works. trying to remain blissfully ignorant will lead to pain and frustration eventually. and really, aren't all things in life susceptible to this?

that said, if one is using the firefox extension, settings are stored so having multiple character sets, password lengths, etc. is really a moot issue since it becomes a "set and it and forget it" situation. i hope that helps.

[Eric H. Jung]

To add to morguns and tanstaafl... historically, newbies typically complained when the default charset was 0123456789abcdef. They thought there was no way to include other characters. And, indeed, for a long time there was no way. But even after the charset was enhanced to include any Unicode character, people still didn't experiment enough to realize they could change the characters.

This still happens today: there are occasional posts in the forums and/or in personal emails asking why special characters are included in passwords. To paraphrase, "the passwords are unusable at myfavoritesite.com because myfavoritesite.com only permits alphanumeric characters."

[qwavel]

The reason I want it to be very simple for novice users is that I want to be able to recommend to non-tech family and friends.

These people would just use the basic options - if these users were shown the advanced options they would be intimidated and would not want to use it.  The Firefox extension works very well for these users because they won't see the advanced options unless they select the advanced options from the view menu (which they won't).

This results in a slightly lower level of security for them, but it is still more than adequate for their requirements and it is probably vastly better then their current systems.

So, I'm hoping that the basic options will work for almost all sites.  If the novice user encouters a site that does not accept the basic char set of password length then the user will probably revert to their old system (eg. using their standard pasword) for that site.  That's ok, as long as it doesn't happen very often.

I'm not actually suggesting that the defaults be changed - I realize that they should be changed as infrequently as possible.  Rather, I'm hoping that these ideas are considered the next time that the defaults have to be changed for some other reason.

What's more important for those novice users is that the web page defaults be 'in sync' with the FF extension defaults.  So I've listed that issue in a seperate post.

[Eric H. Jung]

I'm not actually suggesting that the defaults be changed - I realize that they should be changed as infrequently as possible. Rather, I'm hoping that these ideas are considered the next time that the defaults have to be changed for some other reason.

OK. Thank you.

What's more important for those novice users is that the web page defaults be 'in sync' with the FF extension defaults. So I've listed that issue in a seperate post.

Yes, as I wrote in that post, I agree with you.

Thanks,
ERic

[LkonKbd]

The reason I want it to be very simple for novice users is that I want to be able to recommend to non-tech family and friends.

These people would just use the basic options - if these users were shown the advanced options they would be intimidated and would not want to use it.  The Firefox extension works very well for these users because they won't see the advanced options unless they select the advanced options from the view menu (which they won't).

This results in a slightly lower level of security for them, but it is still more than adequate for their requirements and it is probably vastly better then their current systems.

So, I'm hoping that the basic options will work for almost all sites.  If the novice user encouters a site that does not accept the basic char set of password length then the user will probably revert to their old system (eg. using their standard pasword) for that site.  That's ok, as long as it doesn't happen very often.

I'm not actually suggesting that the defaults be changed - I realize that they should be changed as infrequently as possible.  Rather, I'm hoping that these ideas are considered the next time that the defaults have to be changed for some other reason.

What's more important for those novice users is that the web page defaults be 'in sync' with the FF extension defaults.  So I've listed that issue in a seperate post.

'qwavel' "BYA" > If I may add somewhat to this, I am in agreement with "Eric H. Jung" because he is the creator and programmer, 'tanstaafl' and 'morguns' because they are more knowledgeable than myself.  Any minimal settings will be very insecure, as you have noted, but; they should be easy to use for any and all, Advanced or Novice.  As a very Novice myself, there are many features I have not used as I do not have the time to devote to that process at this time.  The advanced options are not that difficult to learn, I am just now getting into using the "Advanced Auto-Populate," and when it comes to Banking accounts over the NET that is one that will require the tightest security you can muster.  I am not a programmer nor a power user, only a very simple user but with GREAT 'curiousity', that is the one feature that will make anyone the most secure, but; how do you program that into the simple or advanced features of 'PasswordMaker', NOT possible.  I feel this falls on the shoulders of those that are attempting to get others, even novices, to use a feature such as 'PasswordMaker'.  Teach, Teach, Teach and when all else fails Instruct until they are able to do the simplest and hope one day they can advance enough to be as secure as possible.

Do Not attempt to use the "sync", "web site from remote".  Stick only to the 'Home' system or where ever they normally use the web until they are better.

Thank you for reading my $0.0002 worth,