r/mildlyinfuriating u/King_Baboon Mar 08 '16

Overdone Fuck it, hackers win.

Post image
14.6k Upvotes

91% Upvoted

992 comments sorted by

View all comments

Show parent comments

1.6k

u/King_Baboon Mar 08 '16

That's what makes it even more infuriating. This is a government site where I have to take mandatory training.

487

u/[deleted] Mar 08 '16 edited Mar 09 '16

Well there it is. It's a government website. It needs to be secure. Password restrictions have always annoyed me on websites where it's just my shit that going to get fucked. Yes all of these restrictions will make my shit more secure, but if I want my password to be hunter12 then that should be my perogative. But on a government website it makes sense.

Edit: politeness

Edit 2: Jesus fucking Christ I get it. These types of passwords are more susceptible to brute force passwords. I don't need 20 of you motherfuckers to tell me the same damn thing.

153

u/Toribor Mar 08 '16 edited Mar 08 '16

Password strength should be measured by bits of entropy, not arbitrary limitations. These forced limitations actually reduce the amount of possible combinations making brute forcing easier. Also, people are likely to compensate for the difficult restrictions by just writing it down. Maybe not a big deal for a one-off government website, but forcing password restrictions like this for a bank account means someone is just going to write it down on a piece of paper or save it in their phone which makes it that much easier for someone to get access to it.

3

u/[deleted] Mar 08 '16

Bits of entropy is a great way of measuring potential security, but a horrible way of measuring actual security.

This all goes without saying, but people won't use a difficult password out of generosity to your system. If you say "make a password" and you make no restrictions, you maximize entropy mathematically - my password could be '$A&FruitBalloon*<F12>@R{Sunglasses Emoji}<pageUp>', or it could be 'password'. And most people are not going to use the first when the second is so much simpler.

If you think of the search space as a one dimensional graph of arbitrary units of complexity, a graph going from 0 to infinity but having most of the passwords between in the first ten 'units', vs a graph going from one to one hundred and having none in the first ten and most in the 50's is a more secure system.

You shouldn't measure password strength by how secure it could be, but by their worst and average cases, because a hacker doesn't succeed when they find every single password, they succeed when they find just one.