Passwords: does size matter, what characters?

Python python at venix.com
Fri Mar 10 12:38:00 EST 2006 

On Fri, 2006-03-10 at 10:53 -0500, Ben Scott wrote:
> On 3/9/06, Ted Roche <tedroche at tedroche.com> wrote:
> > Designing a web site for a client, he asked what the general guidance
> > was for passwords.
> 
>   I thought I'd chime in with some additional bits of mine (thus
> bringing my contribution to this thread to a full $0.04, I guess <g>).
> 
>   The usual "strict and strong" password guidelines include something like:
> 
> - At least 8 characters
> - At least one each of the following character groups:
>   - Uppercase
>   - Lowercase
>   - Digit
>   - Puncuation
> 

I'm not so sure this is a good idea.  By forcing that much structure,
you are actually reducing the randomness of the password possibilities.

A simple example is two digit passwords.  Default is 100 possibilities.
If you require a digit in range 0-4 and a digit in range 5-9, you are
down to 50 possibilities.

>>> 94 ** 8
6095689385410816L

>>> 26*26*10*32* 94**4
16889161502720L
My combinatoric logic could well be faulty.  However, I think the second
number will be substantially reduced from the full range of
possibilities.

I would only insist on including 2 of the sets, 3 at most.  Or get a
hacker word list and insist the password not be present in the list.

/usr/share/doc/cowpatty-2.0/dict

The cowpatty list is under 100k and would be easy to load into a "set"
container for efficient membership tests.


(I do not follow this advice, but allow my *web* users any old password
they want.  However, there is not much at risk.  They get no system
privileges.  The password protects their data which is not high value in
the applications I am dealing with.)

>   The following password fits those requirements:
> 
> 	Passw0rd!
> 
>   I've seen that one used all over the place.  Point being: No amount
> of stregth checking will protect people from themselves.  Users have
> to be invested in protecting themselves for password security to work.
> 
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
-- 
Lloyd Kvam
Venix Corp

More information about the gnhlug-discuss mailing list