In case you forgot: password strength is based on length, not on stupid rules for humans.
The computer really doesn't care whether you use numbers and symbols and upper casing. That just makes it hard on people. The computer doesn't sweat the additional character types.
It does care about password length.
So, developers: let us pick a password of arbitrary length. 12 characters minimum, these days.
And if you must enforce an upper limit, set it to 512 bytes.
Yeah, and size of the alphabet can change a lot.
For example, if you know someone's password is 12 chars and it consists only of lowercase letters (which there are 26 of), it's just 26^12 ~= 2^56 passwords to look through.
OTOH, if the person may have used lower and upper case letters, digits, or special chars, then it's (2 * (26 + 10 + 10))^12 = 92^12 ~= 2^78 possibilities, which will take 4 million times more time.
@nartagnan @Wolf480pl @charlag @aeveltstra
Stanford and several other universities have implemented their requirements such that the longer your password/phrase is, the fewer types of characters you need in it. This is pretty easy to set up on a *nix domain with PAM config options, and for Windows requires a custom PassFilt.dll loaded on your DCs.
@Wolf480pl @charlag But does 4 million times more time make any difference to a tireless cloud computer farm that executes several teraflops?
No, it doesn't.
The complex character rules only serve to make it hard for normal people to remember their passwords. Which causes them to either reuse the one they do remember, or drives them into the clutches of online password vaults, which invariably get breached.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!