It seems like when web site lists requirements as to what characters MUST be in the password they’re only providing a password map for someone who wants to hack their system.
For instance, fsd.gov requires:
The password must be 10-14 characters in length.
The password must contain two each of the following:
Upper/lower case letters, numbers, and special characters.
An example of an acceptable password is: AAbb1234!@
Congrats! If I wanted to hack your password, now I know that trying to guess “aaaaaaaaa” will be wrong, you’ve given me clues as to what I can guess and helped narrow it down.
It seems to me like it’s more open and more possible combinations if they didn’t require special characters. Then if you included one your account is now more secure.
Note – As you’ve probably guessed, I’m not a pro at security, which is why I posted here.
4
The goal (and normal effect) of these policies is to make it harder for an attacker to guess most people’s passwords by increasing the number of characters that an attacker needs to try in order to compromise most passwords. Theoretically, of course, you are correct that restricting the type of characters you use in a password does reduce the number of theoretically valid passwords. But the vast majority of users are lazy and, without password restrictions, attackers can leverage that laziness to greatly reduce the number of passwords that they have to check to compromise an average account.
The average user creating an account on a random web page, assuming there are no restrictions on what the password is, will choose a password that is a word from the dictionary in all lower case. Knowing this, an attacker can try the most common, say, 10,000 words from the dictionary in lower case and compromise most passwords. When you force users to use mixed-case, numbers, and/or special characters, you substantially increase the number of passwords that have to be checked for the average user.
There are, realistically, better ways of enforcing password complexity by looking at the amount of entropy in the password (such as the password meter). There are, however, reasons in practice that it is often easier to provide a rule about required characters rather than using a more sophisticated complexity checker. First, most auditors are more comfortable with a relatively simple password complexity policy that is relatively common rather than a more sophisticated policy that is harder for a human to understand. Second, providing users with a simple set of rules to follow tends to make it easier for non-technical users than a more sophisticated password entropy checker.
It’s encouraging people to use a wider range of characters than what people would use without thinking. Considering that the top password is “password”, followed by 123456 etc., it at least encourages people to think about using a broader range of characters. Special characters and numbers do improve the complexity of the password since they can be placed anywhere in the string to be legal, and mean a larger pool of passwords among the weakest.
Personally though I think it’s clearly not effective, and that it would be superior to analyze the password through Javascript and warn the user of insecure passwords based on what we now know following the hacking of various major websites. Sadly forcing numbers and special characters doesn’t improve things that much due to very common pattern of [word][number][special-character]. A link to this site might suffice as a warning: http://howsecureismypassword.net/
If you just required a password without constraints, a single letter would do, so 1 letter is 26 possible combinations.
If you require a minimum length, you have 26^N possible combinations.
If you require at least 1 case change, you have almost 52^N possible combinations.
If you add digits, you have almost 62^N possible combinations.
If you add special chars (~!@#$%^&*_-?), you have almost 74^N possible combinations.
So with the constraints you specified, you’d have a possible combination of almost 74^10 combinations, which is a big freak’n number.
Not to mention you’ve eliminated real words which is what most people will usually use.
As far as maximum length goes, I’m not sure why they restrict the possible number of characters to 14 in that case. As far as I know there’s no reason to keep it so low. I suspect is for a legacy ‘space saving’ reason which doesn’t really apply for hashing passwords … let’s hope they’re hashing their passwords.
*’almost’ takes into account the fact that you can’t have something like ‘aaaaaaaaaa’.
1
I think it is more the result of cargo cult programming, especially where there is maximum size to a password enforced. Whenever there is a maximum size, you just know that it’s because they are storing the passwords in clear-text, and the maximum size is the number of characters in their database’s password column.
Monkey-see, monkey do.
3