2

On some sites there are certain restrictions on what characters should be used in passwords. For example, it must contain at least 1 digit, 1 alphabet symbol, etc. Does it really make password harder to guess? It seems that bruteforcing such password is easier than arbitrary one. I've looked up for similar questions, but those address password length restrictions, which seem reasonable to me (minimum length, of course).

Atmaks
  • 391
  • 3
  • 14
  • Amongst others, see [Why do so many sites disallow the use of non-alphanumeric characters in passwords?](http://stackoverflow.com/questions/1234829/why-do-so-many-sites-disallow-the-use-of-non-alphanumeric-characters-in-password) and [Is there a reason why certain sites don't allow periods in passwords?](http://stackoverflow.com/questions/3959900/is-there-a-reason-why-certain-sites-dont-allow-periods-in-passwords) – Jonathan Leffler Jul 11 '14 at 03:47
  • 1
    Arguably, yes. https://xkcd.com/936/ – Alexander O'Mara Jul 11 '14 at 03:48

2 Answers2

4

By making passwords meet a larger set of conditions, some feel that they increase the security of their systems. I would argue against that. Lets take a minor example:

Password of 4 characters where 1 must be capitalized (i.e. a letter), 1 must be a number, and all entries are a letter or number. Then you have:

26 letters 10 numbers 62 letters/numbers 62 letters/numbers

That gives

26*10*62*62 combinations (for one ordering)

However, if we simply limit to all letters/numbers only then we get

62*62*62*62 combinations

It's obvious which is larger.

Now, remove the limitation of letters/numbers and allow every UTF-8 character (including space, ofc!) and that gets much larger.

By requiring certain characteristics of a password other than minimum length, the total number of combinations is reduced and that implies the overall security is reduced.

EDIT: It helps and does not hurt to have a list of passwords which are disallowed. For example cuss words, common pets names, etc. As those increase hackability while decreasing security.

  • @george There is no protection against stupidity. My passwords are generated based off around 10 dictionaries joined together, with pre-defined replacements assigned by me, a random entry from a series of patterns also defined by me, printed off in an array on a double sided sheet, laminated, and "required" hints linking only via a foreign language which refers to side/column/row, then the entries placed in my wallet with only one other copy that one other person has. Yes, I *am* paranoid. –  Jul 11 '14 at 04:09
  • Oh, now I see what you're pointing out... I typed in something, didn't work, so add some crap at the end. Yep... damn near everyone does that! –  Jul 11 '14 at 04:10
  • My thougths exactly. I'll accept this as a correct answer. It's still unclear to me why people put these restrictions though. I mean, sites are made by professionals. They sure went through the exact same thought process as you did. – Atmaks Jul 11 '14 at 06:34
  • 1
    by that logic, why does a minimum length requirement help? – guest Jul 11 '14 at 20:55
  • 1
    "order not of consequence" -- but it is, you need to multiply that by `4!` no? – agentp Jul 11 '14 at 22:56
  • @george My statement was clearly inaccurate and I should have spent more time thinking before writing it. Thank you for the correction. My only hangup with `4!` is that I think it's not accounting for the alpha/num being poss in 2 locations. Wouldn't the multiplier by `4!/2! = 12`? I'm very tired, so may not be thinking straight. I did modify the text for the time being to be accurate. –  Jul 12 '14 at 00:15
  • 1
    @guest I can see your point. It's totally valid. Since hacking longer passwords becomes progressively harder, that added difficulty is really the only justification for a minimum length password. But such a rationale could apply to the nature of the OP's question, too. To some degree, admittedly, there are tradeoffs. I'll take the minimum-length password over password rules which people forget, write down, or constantly reset and reduce the overall number of attempts needed to attack a system. :) –  Jul 12 '14 at 00:22
-1

In math, it's called Permutation.

http://betterexplained.com/articles/easy-permutations-and-combinations/

For easy examples:

  • only 5 digits numbers, there are 10*10*10*10*10 possibilities. ddddd: 10*10*10*10*10
  • only 5 alphabetic characters, there are (26+26+10)^5 possibilities. xxxxx: (26+26+10)^5

More possibilities take more time to hack your password.

jack
  • 72
  • 3