Shared publicly  - 
 
When a little knowledge is dangerous!
My employer has just added a benefit of online training for us. When I tried to create an initial password on the (here unnamed) website, it did not let me enter my password of choice. The website requested to have minimum 6 characters, and at least one letter, one number and one special character. A second attempt to add '*' as special character did not work either. So I e-mailed support and asked for the list of the special characters. The answer any of "%$#@&"(and samples that did not quite match the list "some.123" ???)
Well, my back of the envelope calculation tells me with those extra requirements the pasword got less secure:
* 6 characters gives a combination of 76 ^ 6 = 90,458,382,169
* 4 chars + 1 special + 1 number = 76 ^ 4 * 5 * 10 = 20,151,121 * 5 * 10 = 1,007,556,050

90 billion vs 1 billion that is improvement!
1
Luke Hutchison's profile photoKaj Kandler's profile photo
4 comments
 
Corrected the numbers for the assumption of lowercase and uppercase is distinguished.
 
I don't understand the logic, you're saying that by disallowing '*' and other characters, they decrease the number of possible passwords?

Requiring at least one character from each class of characters only really serves the purpose of preventing against dictionary attacks. But most people will just substitute '1' for 'l' and '3' for 'e' etc., then put a '!' or something on the end to satisfy the password requirements. It doesn't exactly make for a lot of extra character combinations that need to be searched.

It's funny that they disallow quotes and '*', it shows they have very little confidence in their own ability to prevent against SQL injection attacks...
 
Simple math. Assume a two character password and all upper & lower case characters allowed. 52 * 52 combinations. Now enforce at least one upper case character ==> 26 * 52 combinations. Weaker, then all characters allowed!
Just because it is a good (excellent) idea to choose a password with special characters, it is not a good idea to enforce it.
 
Well no, the math is not that simple, at least the statistics of the situation are not. You're assuming that all passwords are equally likely. But the reality is that the human brain is a particularly poor source of entropy. So if you have typed most of your password in lowercase, the probability is that you'll type all of it in lowercase. For a six-character password, requiring at least one uppercase character and one lowercase character therefore increases the number of likely passwords from 26^6 to 52*26^5, assuming all characters are equally likely (which they are not, for the same exact reason, but it doesn't change the conclusion). And if you were really equally likely to use an uppercase or a lowercase letter at each position in the password where you choose a letter (and similarly for choosing letters vs. digits / punctuation etc.), then this password restriction wouldn't be a pet peeve.
Add a comment...