I’ve had it up to here (imagine a 6 foot guy reaching above his head) with corporate any sites that insist on slapping you with a password restriction. I’m talking about the infamous “Your password must be between 5 and 10 characters” Or other good ones such as “Your password must contain a number and one upper case character.”
Maybe I have indeed lost my mind when it comes to security practices. But I’m pretty sure these limitations are actually insecure.
First: you’ve just given crackers a set of boundaries to work with. It’s a lot easier to brute force attack passwords when you’ve got a set of limits. The smaller the window, the easier the attack.
Second: you’re pushing people, who are smart enough to use already secure passwords, to use weaker ones. The number of times I’ve registered for something only to have either forgotten my password (because I was forced to use an insecure, weak password.)
This guy’s got the idea too. I’m actually surprised there aren’t more complaints like this. His search query to google reveals a lot of fun things with password restrictions.
Silly things like:
- No spaces or symbols
- Must have one number
- Must have one symbol (followed by a list of allowed symbols)
- Must have one UPPER case letter
- Must have one lower case letter
Any combination of those silly things. Every limitation placed on a password field makes it one step easier to crack a password.
Here’s some of the worst sites I’ve used lately that have horrible password policies:
- Club Sobeys – 5 to 8 characters, one number one upper case, no non-alpha numeric characters.
- BMO Mosaik – 5 characters only, alpha numeric. I wish I was kidding on this one.
Got any horrible sites that you use?
I concur!
Requiring at least one number/symbol/whatever per password increases security.
There are 208,827,064,576 passwords 8 characters long, consisting only of lower case letters.
There are 642,544,814,080 passwords 8 characters long, consisting of 7 lower case letters and one number.
(That’s 208 billion vs. 642 billion).
It is easier to brute force when you have set limits, but even in the case of any character being allowed, the overwhelming majority of passwords will still only be alphanumeric. By forcing people to use a symbol in their passwords, you are increasing the range of characters that will be in the typical person’s password. So in almost all cases, it will be harder to brute force.
Just my 2 cents.
PS
I agree that they are harder to remember though.
Strange, I didn’t even say they were harder to remember.