Passwords: does size matter, what characters?

Ben Scott dragonhawk at gmail.com
Fri Mar 10 14:48:01 EST 2006


On 3/10/06, Python <python at venix.com> wrote:
>> - At least 8 characters
>> - At least one each of the following character groups:
>>   - Uppercase
>>   - Lowercase
>>   - Digit
>>   - Puncuation
>
> I'm not so sure this is a good idea.  By forcing that much structure,
> you are actually reducing the randomness of the password possibilities.

  That's not really a fully accurate assessment of the situation.  You
are completely ignoring the human factor.  Think about it: If people
picked fully random passwords to begin with, we wouldn't need the
above requirements at all.  :)

  The reasoning here is that this forces people to include all the
characters one can type in their password contemplations, rather then
just monocase 'a' through 'z', which is what most people use if it is
left up to them.  In other words, without this requirement, it's
likely that every password will consist of only monocase characters,
which makes a crackers job a *lot* easier.

  User education still plays a critical role, of course, as my
previous example pointed out.

  For my own passwords, I usually generate something completely
random, unless it's a low-value asset (e.g., some random tech support
or blog web site).

  When I'm setting password requirements for users, my recommendations
vary depending on the situation (type of people, value of data,
software features, etc.).

  After you've typed a password a few dozen times, you'll start to
remember it, whether it's pronounceable (gpw) or not.  I've seen
*that* over and over again, too.  Everybody complains "But I'll never
remember *that*", but given time, they do.  If you can memorize the
multiplication table, you can memorize an eight character password. 
(If you can't memorize the multiplication table, you shouldn't be
trusted with anything needing a password in the first place.  :)  )

-- Ben



More information about the gnhlug-discuss mailing list