Well there it is. It's a government website. It needs to be secure. Password restrictions have always annoyed me on websites where it's just my shit that going to get fucked. Yes all of these restrictions will make my shit more secure, but if I want my password to be hunter12 then that should be my perogative. But on a government website it makes sense.
Edit: politeness
Edit 2: Jesus fucking Christ I get it. These types of passwords are more susceptible to brute force passwords. I don't need 20 of you motherfuckers to tell me the same damn thing.
I feel like all these restrictions would make it less secure? I mean the more restrictions you add, the less possibilities there are for passwords. Which means less passwords that an intruder would have to guess. Add enough restrictions and eventually 'hunter12' will be the only possible password to use.
This is the layman's understanding but (as is often the case) it is incomplete.
Let's say there are no password restrictions, except that the maximum number of characters allowed is 10, and you can't use crazy characters like Unicode - any printable character visible on your keyboard is fair game. The number of possible password combinations is 60510648114517025000. That's a lot - probably too many to reasonably guess any if we assume that the actual users' passwords are randomly generated in this space. But that's the problem, isn't it? They won't be.
On such a site, some portion of the users will opt for no password at all, a password of 1234, a password of 123456, a password of "password", etc. An attacker will guess all of these things first since they know that some people will be using them. If they can get an appreciable amount of users in a very small amount of time, they will. And then they can just move on to the next site and do it all over again, rather than spending time trying to crack passwords.
Adding restrictions like the ones in the OP will reduce the total attack space, yes. But that doesn't really matter when that is so rarely the thing that the attacker is targeting. What a competent attacker is targeting is the user. If you make your users make more "random" passwords, then they're less likely to fall victim by using something that's in the attacker's pre-sorted list of likely passwords.
EDIT: That's not to say this example (in the OP) is perfect. It's definitely a sort of half-baked system, but the spirit of the restrictions is perfectly valid.
486
u/[deleted] Mar 08 '16 edited Mar 09 '16
Well there it is. It's a government website. It needs to be secure. Password restrictions have always annoyed me on websites where it's just my shit that going to get fucked. Yes all of these restrictions will make my shit more secure, but if I want my password to be hunter12 then that should be my perogative. But on a government website it makes sense.
Edit: politeness
Edit 2: Jesus fucking Christ I get it. These types of passwords are more susceptible to brute force passwords. I don't need 20 of you motherfuckers to tell me the same damn thing.