Passwords on this site

For years we have been told to make our passwords "hard to guess" by mixing uppercase and lowercase letters, include numbers and punctuation characters, etc. The main advocates of this practice was NIST (National Institute of Standards and Technology), the US government department that deals with cybersecurity. Recently they published a paper that basically says they got it wrong. You can read the original paper here: https://pages.nist.gov/800-63-3/sp800-63b.html if you are sufficently interested, but the gist of it is that their advice has caused people to get into some very bad habits with regards to their passwords. The situation has been exacerbated by well meaning, but ultimately poorly designed code, that forces people to create passwords that contain different types of characters without really checking how "crackable" the password is.

The new advice, and also our advice, is not to use a password at all, instead use a passphrase. The very word "password" implies one word, people didn't realise that several words with spaces between them is actually way more secure than a single word even with uppercase, lowercase, numbers, etc. So when you choose a password for this site, pick a short sentence that you will remember, you can make it all lower case if you prefer, or add one or a few capitals, to be honest it makes very little difference to the strength of your passphrase, what matters is the length. Here are some examples of really good passphrases:

• green cows eat purple grass
• my standard town has a light shop
• FANTASTIC BOTTLES ARE HARD TO BREAK
• Fish Tunes Are Easy On The Ear
• Finish your tea before you drive the car

The point is that you come up with a short phrase that makes no real sense but is easy to remember. Don't use phrases from published literature, make it up yourself. Don't make it too long, about 5 to 8 words is about right. Use all lowercase or all uppercase if it helps you remember it better.

This site has several mechanisms to protect against hackers trying to break in, so don't be surprised if you get locked out if you enter an incorrect password several times in a row. If you do get locked out, try again later as the lockout will time out, or use the password reset feature, this will allow you to set a new password and it resets any lockout at the same time.

If you do forget your password just use the reset feature, there is no point in contacting us to ask what your password is, because no one knows it, nor has anyone any way of looking it up for you. When you set your password it is not stored anywhere, instead the system runs a mathematical algorithm on it called a "hash", this creates a fingerprint of your password and it is this fingerprint that is stored in the database. When you login it runs the same algorithm on the password you type in and compares the fingerprint with the one stored in the database, if they match, you're in.