Restrictions like OPs make the site less secure because meow a hacker has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.
In case anyone is interested, here is the information this set of rules is giving a potential attacker, and their consequences:
Passwords must be at least 8 characters in length: means that it's safe to assume that a lot of passwords will be exactly 8 characters in length.
Passwords must include at least one non-alphanumeric printable character: rules out passwords that consist only of alphanumeric characters (order 109 ); very likely that there will be exactly one symbol, and that it will occur either at the start or at the end of the string; good chance the symbol will be one of the four symbols (#, *, $, @) shown in the rules.
Passwords must include at least one number: as above, very likely that there will be exactly one number, and that it will occur at the start or end of the password; good chance that it will be the number 1 or some number between 50 and 98, i.e. year of birth, minus any years with repeated/consecutive numbers.
Passwords cannot contain repeated characters: rules out many more (> 1011 ?) potential passwords that feature runs of the same character. Prevents users from using the string password in their passwords, also stops people from using passwords like $password1, $password2, etc.
Passwords cannot contain (alphanumerically or not?) consecutive characters: this one is incredibly stupid, intended to prevent combinations like 12345, abc, and the like, but forbids many short (2-3 character) combinations that can easily be generated randomly.
Saying it's the biggest hole of all is a bit of a hyperbole, I was just quoting a professor I used to have, but I still think it's very high on the list. Most other things can be accounted for, a competent IT security worker can defend a server against automated attacks with some effort. Setting some rules to stop people from using passwords like "password" isn't difficult to stop smarter attacks.
But if someone writes down their information the security that IT can provide doesn't matter much anymore. It switches the focus of protection from the IT department to the user; now one of the easiest avenues of attack is just to get that password. If someone leaves their password on their desk, someone with access to the building can just walk in and take it. All they need to do is find one. Excessively frequent mandated password changes only increases the chances of it happening.
Sure for your day to day employee this doesn't matter but in high value situations it's a real risk. I'm pretty sure no one cares if you write down your personal passwords in your own home, I'm talking about in business situations.
Yeah, it's definitely a bigger risk in a business environment. With that context in place, I'd agree that it's important to physically secure passwords. But how much that matters also depends on the physical security posture of the whole building, your floor, your area, etc. Generally speaking though, averaging out the entire internet population, I would argue that writing down your password is way less dangerous than using a weak one.
805
u/[deleted] Mar 08 '16
Restrictions like OPs make the site less secure because meow a hacker has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.