Passwords: does size matter, what characters?
Python
python at venix.com
Fri Mar 10 17:15:01 EST 2006
On Fri, 2006-03-10 at 14:47 -0500, Ben Scott wrote:
> >> - At least 8 characters
> >> - At least one each of the following character groups:
> >> - Uppercase
> >> - Lowercase
> >> - Digit
> >> - Puncuation
> >
> > I'm not so sure this is a good idea. By forcing that much
> structure,
> > you are actually reducing the randomness of the password
> possibilities.
>
> That's not really a fully accurate assessment of the situation. You
> are completely ignoring the human factor. Think about it: If people
> picked fully random passwords to begin with, we wouldn't need the
> above requirements at all. :)
>
> The reasoning here is that this forces people to include all the
> characters one can type in their password contemplations, rather then
> just monocase 'a' through 'z', which is what most people use if it is
> left up to them. In other words, without this requirement, it's
> likely that every password will consist of only monocase characters,
> which makes a crackers job a *lot* easier.
Agreed.
My point was simply that imposed structure reduces the solution space.
If you start doing any serious analysis, I suspect that forcing the
inclusion of a digit - along with the other 3 requirements - actually
hurts your security since you guarantee that one dimension of the search
space is only 10 units long. Just require mixed-case and punctuation
while allowing digits.
Here is a yahoo approach to avoid:
http://www.schneier.com/crypto-gram-0301.html#3
--
Lloyd Kvam
Venix Corp
More information about the gnhlug-discuss
mailing list