Well there it is. It's a government website. It needs to be secure. Password restrictions have always annoyed me on websites where it's just my shit that going to get fucked. Yes all of these restrictions will make my shit more secure, but if I want my password to be hunter12 then that should be my perogative. But on a government website it makes sense.
Edit: politeness
Edit 2: Jesus fucking Christ I get it. These types of passwords are more susceptible to brute force passwords. I don't need 20 of you motherfuckers to tell me the same damn thing.
Restrictions like OPs make the site less secure because meow a hacker has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.
You'd think so, but the fact is that without these restrictions a high number of people would use passwords that are extremely easy to guess (i.e. abcd1234 or some such). With these restrictions, yes, they give a small amount of additional information to the attacker, but they ultimately increase the security of the average user.
Restrictions are a double edged sword: It stops stupid people from making stupid passwords, but each one makes the whole system orders of magnitude less secure. The no consecutive characters alone eliminates billions, possibly trillions of combinations within a reasonable length. Ideally there are other ways to try to prevent stupid people making stupid passwords than to compromise the whole system for everyone.
each one makes the whole system orders of magnitude less secure. The no consecutive characters alone eliminates billions, possibly trillions of combinations within a reasonable length.
Reducing the password space by billions or trillions is not making it orders of magnitude less secure.
Even if you excluded 999 trillion passwords from all possible 8 character passwords (with caps/noncaps,symbols,numbers) you'd only be excluding 15% of the possible combinations. I don't really have the time to figure it out, but just go to a random password generator and take a look at how many times you'd have to regenerate a password, on average, to hit one of these exclusion policies. It will be extremely rare.
The XKCD is absolutely correct though, because one of the important parts of a password is being able to remember it. A long passphrase with some randomness thrown in will make a password which is impossible to brute force.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
It's difficult to calculate what the change would be (it may be more than I'm estimating). Like I said in another post, this particular strategy is sort of half-baked, but still, the logic is sound.
1.6k
u/King_Baboon Mar 08 '16
That's what makes it even more infuriating. This is a government site where I have to take mandatory training.