Seems the above thread did get closed even though MOD only actually hinted it may if it got out of hand.
I have just ran the Security Check-up on Lastpass and changed all my old passwords and fixed any issues.
Even the few sites that did not allow decent passwords in past now do apart from 3 sites.
I have contacted Astraweb and await a reply.
VM on the other hand I have no faith in anything getting done, but this very forum can have a password strong enough to score 100% in the security check but its not actually ran by VM at least once was not.
VM can only have letters and numbers no special characters and AFAIR about 7-10 long and one of the bellow sites must start with a letter (again AFAIR).
[MOD EDIT: Subject heading changed to assist community]
Not expecting much like someone's blood or 1st born, just same basic security even pr0n sites give in past 10 years.
And I am not sure why you are not sure as it was pretty clear from my post and the linked thread all I/we want is stronger password option.
Unlike the linked thread which was ruined by 1 fool I am not going to reply to any posts from naysayers as if the above mentioned sites can do it so can a big company like VM.
See heres the thing, you cannot give options that the backend cannot support, the back end systems only support very specific password rules, they could change the front end to "allow" those passwords but the back end will still reject them, comparing the password requirements on a generic site isn't the same as a system that spans decades with hardware that is probably older than some of the customers VM sells to
The "I'm not sure what you're expecting" refers more to the fact that you seem to expect something that is physically impossible to happen, this thread isn't going to make VM go out and spend an absolute fortune replacing every single legacy system in the country just to allow for a slightly higher password complexity, i am well aware of what you're "asking" for but its not anywhere near as simple as you seem to think it is
IMHO, there is nothing like a data breach to shake that lethargy and make the previously perceived impossible / expensive suddenly achievable.
To be fair, if it was going to happen, chances are it would have already, but that won't force them to redo the entire system they would just plug the hole they used to gain access and just send out password resets to all users
You are looking at one aspect of security in isolation. Password strength, whilst important in the case of a brute force attack, is irrelevant from the POV of other attack vectors. In fact even in the case of a brute force attack, other mitigating factors (number of attempts allowed per second, IP matching/blocking, SSL implemented or not etc etc etc) are important.
In fact Id argue a system that forces you to have separate passwords for email, fora and billing account is MORE secure than one that allows you a greater password strength but allows replication across platforms. LCD and that. Personally I couldn't even TELL you my email and MYVM account passwords because the requirements are so obscure.
Which means I haven't used the all too tempting "recycle a password" that breaks network security instantly. Used the same password on "Bobos cuddly toysRus" to order a gift for your Valentine as your 3 VM log ins with now aligned 15 character requirements after an upgrade?
Yeah your goosed....
Breach "Bobos" with their off the peg GoDaddy premium security and you've breached your VM/Bank/Amazon/Paypal cos whilst the requirements were STRONG in a password checker you used the same one...
Attack footprint is about MUCH more than vanilla password strength.
BlackHats are the same as any other criminal. They are looking for least effort and most reward. Throwing millions of processor cycles at a community forum password (as an example of what MAY be a SPF) only to find it doesn't allow access to either email or billing is a waste of time/effort.
Whether by accident or design (Ill leave that to the reader) IMHO the fact that legacy systems have obscure requirements works in our favor.
"In fact even in the case of a brute force attack, other mitigating factors (number of attempts allowed per second, IP matching/blocking, SSL implemented or not etc etc etc) are important."
Sorry Kippies, but that doesn't make sense. Brute-force attacks just don't happen that way! If an attacker has the hashes (if they were hashed in the first place!), attempts per second is limited to their hardware/algorithm... and IP matching/SSL makes no difference whatsoever.
"Id argue a system that forces you to have separate passwords for email, fora and billing account is MORE secure than one that allows you a greater password strength but allows replication across platforms"
That'd be true if all those systems were inter-operable, but they're not. You can easily set your MyVM password to the same as the forum, or the other way around. Restrictions are a limitation on what the password could be, not an indication of what the password might be...
"Throwing millions of processor cycles at a community forum password (as an example of what MAY be a SPF) only to find it doesn't allow access to either email or billing is a waste of time/effort."
If the attacker is using CPU cycles, they represent little/no threat. Powerful GPU or multiples thereof... now they're a risk. You'd be mistaken for believing that breaking a password, even if it doesn't immediately provide access to something more useful, is a waste of time or effort. People choose poor passwords, we know this. They'll stick to common trends.... caps at the start, DOBs at the end, special char replacements for numbers et al. If we know how a user chooses passwords, we don't need to know their password.