In case anyone is interested, here is the information this set of rules is giving a potential attacker, and their consequences:
Passwords must be at least 8 characters in length: means that it's safe to assume that a lot of passwords will be exactly 8 characters in length.
Passwords must include at least one non-alphanumeric printable character: rules out passwords that consist only of alphanumeric characters (order 109 ); very likely that there will be exactly one symbol, and that it will occur either at the start or at the end of the string; good chance the symbol will be one of the four symbols (#, *, $, @) shown in the rules.
Passwords must include at least one number: as above, very likely that there will be exactly one number, and that it will occur at the start or end of the password; good chance that it will be the number 1 or some number between 50 and 98, i.e. year of birth, minus any years with repeated/consecutive numbers.
Passwords cannot contain repeated characters: rules out many more (> 1011 ?) potential passwords that feature runs of the same character. Prevents users from using the string password in their passwords, also stops people from using passwords like $password1, $password2, etc.
Passwords cannot contain (alphanumerically or not?) consecutive characters: this one is incredibly stupid, intended to prevent combinations like 12345, abc, and the like, but forbids many short (2-3 character) combinations that can easily be generated randomly.
These rules generate way more combinations than they rule out. 8 character passwords alone have more combinations than the lower 7 combined. The rest prevent dictionary attacks.
8 character passwords alone have more combinations than the lower 7 combined
I'm not sure how that affects anything I've said.
These rules generate way more combinations than they rule out.
I'd like to see some maths before I take your word for it. Two of these rules specifically reduce the number of combinations by a factor of 1010 at the bare minimum.
A properly tailored dictionary (as part of a hybrid attack) would work against this by making assumptions about user habits (password length, symbols/numbers in predictable positions). Yes, a naive dictionary attack will not work, but it's 2016, not 2002.
Even if a hacker knows the password length is 8 it will take them longer to go through all 8 character combinations than the lower 7 combined. Making a minimum length makes it harder for hackers, not easier as you claim.
Where are you even getting the number 1010 from? The number of combinations the other rules reduce is a function of password length so I don't know there you are pulling your numbers from.
I think you've misunderstood something? When I say that the minimum 8-character conddition makes it easier (and I explained this pretty clearly), I specifically said that it makes it much more likely that people's passwords will be exactly 8 characters, not 9, 10, 20, etc. I didn't say anything about 7-character passwords, you've come up with that yourself.
As for 1010, that's because there are around 100 printable ANSI characters to choose from (the number is actually 95). I have made a very rough estimate of the bare minimum, and I've been frank elsewhere that I don't know how to calculate this exactly. As I said in the previous comment, if you can provide mathematics that make sense, I'll take your word for it. Otherwise, settle down.
Uh what? The 8 character minimum isn't going to somehow magically force people who tend to make longer than 8 character passwords anyways to somehow cut their passwords down to 8 characters. The only thing it will do is force people who tend to make shorter than 8 character passwords increase their password length, very likely to exactly 8 characters which is how I interpreted your point. Your reasoning about how having a 8 character minimum will somehow make people decrease their password length to 8 characters makes absolutely no sense. You will have to explain your reasoning behind it much more clearly if you want me to understand.
What does the fact that there are 100 printable ANSI characters have to do with anything? If you are trying to say that forcing people to use a number or a non-alphanumeric character means you are limiting their options and reducing it from 100 to around 10, then you are missing the point of the rules in the first place. Without them it is very likely that people will only use alphabetical characters in their passwords (as you pointed out in your original post), which with an 8 character minimum means at least 268 combinations. If you force people to use at least one number and special character you are now looking at 408 minimum number of combinations. (26 alphabetical + 10 numerical + 4 most common special characters). Even if we followed your claim that people will only put the non-alphabetical characters in the first and last position, we are still looking at (142 )*(266 ) combinations. Your reasoning that the middle should only contain alphabetical characters directly contradicts the claim you made in this post that people are going to choose from the 100 printable ANSI characters and that by limiting one character to either a numeral or special character you are actually reducing the possibilities from 100 to 10.
212
u/space_keeper Mar 08 '16 edited Mar 08 '16
In case anyone is interested, here is the information this set of rules is giving a potential attacker, and their consequences: