In case you forgot: password strength is based on length, not on stupid rules for humans.

The computer really doesn't care whether you use numbers and symbols and upper casing. That just makes it hard on people. The computer doesn't sweat the additional character types.

It does care about password length.

So, developers: let us pick a password of arbitrary length. 12 characters minimum, these days.

And if you must enforce an upper limit, set it to 512 bytes.

@charlag @aeveltstra
Yeah, and size of the alphabet can change a lot.
For example, if you know someone's password is 12 chars and it consists only of lowercase letters (which there are 26 of), it's just 26^12 ~= 2^56 passwords to look through.

OTOH, if the person may have used lower and upper case letters, digits, or special chars, then it's (2 * (26 + 10 + 10))^12 = 92^12 ~= 2^78 possibilities, which will take 4 million times more time.

@charlag @aeveltstra
Of course you could use 17-character lowercase-only password for the same amount of security.

So the question is, which is easier to remember and to type correctly for a particular user. And this can vary from person to person.

@nartagnan @charlag @aeveltstra
Depends on individual person.
I tried using 4-lowercase-word passphrases.
I mistyped them *every* *fuckin* *time*.
If they work for you, great. But they don't work for me.

@nartagnan @Wolf480pl @charlag @aeveltstra
Stanford and several other universities have implemented their requirements such that the longer your password/phrase is, the fewer types of characters you need in it. This is pretty easy to set up on a *nix domain with PAM config options, and for Windows requires a custom PassFilt.dll loaded on your DCs.

@Wolf480pl @charlag But does 4 million times more time make any difference to a tireless cloud computer farm that executes several teraflops?

No, it doesn't.

The complex character rules only serve to make it hard for normal people to remember their passwords. Which causes them to either reuse the one they do remember, or drives them into the clutches of online password vaults, which invariably get breached.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!