In case you forgot: password strength is based on length, not on stupid rules for humans.
The computer really doesn't care whether you use numbers and symbols and upper casing. That just makes it hard on people. The computer doesn't sweat the additional character types.
It does care about password length.
So, developers: let us pick a password of arbitrary length. 12 characters minimum, these days.
And if you must enforce an upper limit, set it to 512 bytes.
@aeveltstra that's not exactly true, dictionaries and rainbow tables exist and widely used
Yeah, and size of the alphabet can change a lot.
For example, if you know someone's password is 12 chars and it consists only of lowercase letters (which there are 26 of), it's just 26^12 ~= 2^56 passwords to look through.
OTOH, if the person may have used lower and upper case letters, digits, or special chars, then it's (2 * (26 + 10 + 10))^12 = 92^12 ~= 2^78 possibilities, which will take 4 million times more time.
@nartagnan @Wolf480pl @charlag @aeveltstra
Stanford and several other universities have implemented their requirements such that the longer your password/phrase is, the fewer types of characters you need in it. This is pretty easy to set up on a *nix domain with PAM config options, and for Windows requires a custom PassFilt.dll loaded on your DCs.
@aeveltstra i was referring to that Stanford infographic above, thats their example password
@kitten Thank you!
Let's say you (cryptographically) randomly chose four words from the top 1,000 most common words of the English language.
log2(1000) * 4 ~= 40 bits of entropy
Not great, but dramatically stronger than your average password, and online attacks aren't really feasible. Offline attacks on bcrypt/argon2 would be doable but expensive.
@manchot thanks for the explanation, but i was just wondering how many people would be lazy enough to take the example as their password
@Wolf480pl @charlag But does 4 million times more time make any difference to a tireless cloud computer farm that executes several teraflops?
No, it doesn't.
The complex character rules only serve to make it hard for normal people to remember their passwords. Which causes them to either reuse the one they do remember, or drives them into the clutches of online password vaults, which invariably get breached.
Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!