Came here to ask this exact question. If you know the constraints on the password string, it should be much easier to brute force 8 characters.
Broad requirements like password length is fine. Requiring a range of characters, letters, and special characters would make a brute force attack harder. Requirements like no consecutive letters or repeated letters seems to weaken the password. Why would this be a good idea?
Right, but if they want to prevent against that type of attack, they just have to download some "popular 8-10 character password dictionary" and check if the person's password is there.
If a password is not in a common password dictionary, it's just as secure as any other password with the same length and types of characters. If nobody has ever used the password "nOOlnml9" before, it's a good password, even though there is some pattern and repetition of characters.
The restrictions on that site scream out that whoever made them doesn't know the first thing about cracking passwords, much less how to stop people from doing it.
maybe that wouldn't be a problem if you didn't make them have ridiculous limitations in the first place. Why not just ban use of the 500 most common passwords (with a list for people to see if their uncreative monstrosity is there) and require a minimum of 8 characters?
Without physical access to the server it's pretty hard to brute force passwords. Even if you're able to get around security measures. The network latency forcing you down to 10 or so attempts per second makes it nearly impossible to crack.
Assuming the password was going to allow symbols and be case sensitive anyway, requiring all three be present reduces the total number of possible combinations. Yeah it prevents passwords like "letmein" but the most common point of failure for passwords is having them written down, and complexity requirements that don't lend themselves to memorization contribute to this.
Shouldn't most of these increase the list of possible passwords? Min 8 figures certainly makes it harder than if passwords were 3 or 4 letters. Plus, since people are less likely to use symbols or numbers if they don't have to, the number of possibilities each figure could be goes up from 26 to 46. So, yeah, these restrictions definitely help.
The real question is, how do you factor in the fact that it is far far more likely people will need to save this password somewhere (writing it down or saving it in a document) because they aren't going to remember it?
The real question is, how do you factor in the fact that it is far far more likely people will need to save this password somewhere (writing it down or saving it in a document) because they aren't going to remember it?
This always comes up and is rarely an issue, for anything you're doing at home. Who cares if you have a piece of paper somewhere with a bunch of passwords on it, someone would need to break into your home and find it to make use of it.
I always keep a glass vial of scopalamine under my tongue to foil rubber hose attacks on my Amazon account. Anyone tries to get me to give up the pw and boom I'm in a hallucogenic fugue state for 2-3 days.
It's one thing to have your passwords on a post-it on your monitor in an office landscape. That's bad. It's another thing entirely to have it at home.
Regardless though, the best of both worlds if pass phrases. They need not be difficult to remember, yet they're long enough that it's impossible to brute force them.
No need for special characters and numbers if your password is 28 characters long.
Ok, I guess I'm thinking most of the times I've had to create these kinds of passwords without a choice to go use another site is when I'm at work, and at the jobs I've had, security is such a concern that we're not supposed to have writing utensils. But people break the rules to write down passwords.
most of the times I've had to create these kinds of passwords without a choice to go use another site is when I'm at work, and at the jobs I've had, security is such a concern
This is the real catch-22; the places that generally actually need better security (corporate systems) are the places where you have the most difficult time actually remembering these crazy passwords, as you really shouldn't be writing them down there.
Most people use sensitive passwords at work, and because of shared work spaces your desk is often the least secure place to store something. If you are accounting and you post it your login to the screen anyone who walks by can be the person who steals it or sells it.
At home you might not get robbed for a password, but there isn't much you do at home that anyone cares to hack anyway. You are more likely to be a target of a phishing scam or malware.
It removes up to 4 possibilities from the search space per character (I.e. if the last character was 'e' the next one can't be 'e', 'E', 'f' or 'F'). So, instead of roughly ~70 possible characters (assuming roughly 8 common symbols used in passwords) it goes down to ~66. It's not a humongous difference that makes the passwords instantly crackable.
But it's pointless and doesn't actually really improve security either. It's mostly bad because it's a nuisance to users.
People tend to be dumb and pick obvious or similar passwords to each other. A special example is 4 digit pins, which trend heavily toward keypad patterns and birth years (IE: 1900-1999 range tends to be heaviest). Similar concepts apply to passwords, thus the requirements to make them choose slightly different passwords. It's just moving the goalpost as people tend to do something like easypassword1 easypassword2 etc.
No, the list of viable options is initially so incredibly wide that these restrictions, while making passwords more annoying to remember (which is a bad thing), barely impact the pool of potential passwords at all.
The problem with this is that, because it's so hard to remember, the vast majority of people will make passwords exactly 8 characters long. That narrows it down EXTREMELY.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
This isn't quite true. Most brute force attack begin (and end!) with a dictionary attack which includes words and combinations frequently found in passwords. Eliminating these combinations from password eligibility forces a permutative search which takes orders of magnitude longer.
That doesn't mean these restrictions are a good idea (they aren't), but I see this misconception a lot and wanted to comment.
I got mad last week when my password had to be 25 characters or less. Most sites don't really seem so restrictive, but ones like this one make having longer passwords hard at times too.
Not sure why this is getting so many upvotes. In a practical sense this is complete bullshit given the way most passwords are created without these restrictions.
There's almost always systems in place that prevent brute forcing anyway.
So far the only argument against my comment seems to be "the human factor makes restrictive passwords important". Which in a nutshell means you are saying this is better because the common person is to stupid to make a good password. Now I'm not going to argue the intelligence of the common human. The point though is that you can "what if" and "technically" anything to make a straw man point. The reality though is that by forcing a password to specific combinations and restrictions you take the infinite possibilities and condense them to a finite number. That fact alone is severely compromising to passwords. The other side of this is that when you make passwords hard to remember people write them down, but that is also a "what if" argument. It doesn't mean it's an invalid concern. It just holds no value in proving my statement right or wrong.
The reality though is that by forcing a password to specific combinations and restrictions you take the infinite possibilities and condense them to a finite number
There's not an infinite number of possibilities because no site will let you set a 30,000 character string as a password for example. These restrictions just add a few more than normal. As others have mentioned in this thread, it would make very little difference to brute force attacks even in a theoretical sense because you have misunderstood how brute force attacks are undertaken. You've also misunderstood how many combinations are still possible from these restrictions, it is not "so narrow". To make it as clear as possible - these restrictions have little effect on a brute force attack. I have no idea why i'm even bothering to reply to this.
Arguably the brute force list is shorter, but most of the "most common passwords" won't be used which are typically the first passwords attempted. The real best way to add security though is to require a minimum password length.
595
u/[deleted] Mar 08 '16
It's actually easier for hackers to break these passwords. The list of viable options is so narrow that it speeds up a brute force Crack.