Comments on: Password Restrictions are Bad http://darrylclarke.com/2009/08/18/password-restrictions-are-bad/ Random musings from a jaded coder who just needs a hug. Thu, 09 Feb 2012 05:31:23 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Phil http://darrylclarke.com/2009/08/18/password-restrictions-are-bad/comment-page-1/#comment-6789 Phil Fri, 15 Jul 2011 13:38:05 +0000 http://darrylclarke.com/?p=218#comment-6789 I found this post searching for an official reason why such seemingly arbitrary restrictions are in place. There were some plausible responses on the evanfosmark site you link to. I'm confused thinking password protocols would be standardized; instead, they look "homemade." Okay, here are some strange rules I have to deal with: from my university website: 8-14 chars long "some combination of" letters and numbers and at least one special char (e.g., +, @, #, or $) The following characters can NOT be used: _ ` & ! and then it goes on with the usual caveat about dictionary words and no prior passwords, etc. I'm wondering whether I can use the /really/ special chars like ß, ☺, ½, etc? from my financial institution: 8-15 chars long (not case sensitive), Aa-Zz, 0-9, -, _ at least one letter, one number, no spaces. So they allow the dash and underscore, but nothing else.. seems a little pointless. OTOH, if I accidentally enter the wrong password even once, I get an email saying so. I don't know why more sites aren't doing this. I found this post searching for an official reason why such seemingly arbitrary restrictions are in place. There were some plausible responses on the evanfosmark site you link to. I’m confused thinking password protocols would be standardized; instead, they look “homemade.” Okay, here are some strange rules I have to deal with:

from my university website:
8-14 chars long
“some combination of” letters and numbers and at least one special char (e.g., +, @, #, or $)
The following characters can NOT be used: _ ` & !
and then it goes on with the usual caveat about dictionary words and no prior passwords, etc.

I’m wondering whether I can use the /really/ special chars like ß, ☺, ½, etc?

from my financial institution:
8-15 chars long (not case sensitive), Aa-Zz, 0-9, -, _
at least one letter, one number, no spaces.

So they allow the dash and underscore, but nothing else.. seems a little pointless. OTOH, if I accidentally enter the wrong password even once, I get an email saying so. I don’t know why more sites aren’t doing this.

]]> By: Darryl Clarke http://darrylclarke.com/2009/08/18/password-restrictions-are-bad/comment-page-1/#comment-573 Darryl Clarke Wed, 27 Jan 2010 23:18:40 +0000 http://darrylclarke.com/?p=218#comment-573 Strange, I didn't even say they were harder to remember. Strange, I didn’t even say they were harder to remember.

]]> By: Guy http://darrylclarke.com/2009/08/18/password-restrictions-are-bad/comment-page-1/#comment-571 Guy Wed, 27 Jan 2010 11:05:38 +0000 http://darrylclarke.com/?p=218#comment-571 Requiring at least one number/symbol/whatever per password increases security. There are 208,827,064,576 passwords 8 characters long, consisting only of lower case letters. There are 642,544,814,080 passwords 8 characters long, consisting of 7 lower case letters and one number. (That's 208 billion vs. 642 billion). It is easier to brute force when you have set limits, but even in the case of any character being allowed, the overwhelming majority of passwords will still only be alphanumeric. By forcing people to use a symbol in their passwords, you are increasing the range of characters that will be in the typical person's password. So in almost all cases, it will be harder to brute force. Just my 2 cents. PS I agree that they are harder to remember though. Requiring at least one number/symbol/whatever per password increases security.

There are 208,827,064,576 passwords 8 characters long, consisting only of lower case letters.

There are 642,544,814,080 passwords 8 characters long, consisting of 7 lower case letters and one number.

(That’s 208 billion vs. 642 billion).

It is easier to brute force when you have set limits, but even in the case of any character being allowed, the overwhelming majority of passwords will still only be alphanumeric. By forcing people to use a symbol in their passwords, you are increasing the range of characters that will be in the typical person’s password. So in almost all cases, it will be harder to brute force.

Just my 2 cents.

PS
I agree that they are harder to remember though.

]]> By: Margaret http://darrylclarke.com/2009/08/18/password-restrictions-are-bad/comment-page-1/#comment-246 Margaret Thu, 15 Oct 2009 01:54:25 +0000 http://darrylclarke.com/?p=218#comment-246 I concur! I concur!

]]>