Size is all that matters
Password complexity requirements really piss me off. While it isn’t my favourite activity in the world, lets do some math.
There are 52 characters in a-zA-Z. There are approximately 80 characters in a-zA-Z0-9 plus symbols. So for a password where the minimum requirements for a password include a lowercase letter, an uppercase letter, a number and a symbol, with 6 characters, is 80 to the power of 6, which is 262,144,000,000 combinations. Well gee, that’s a lot. It sure must take a bruteforcer a long time to crack that. Well, not really. This page I found for benchmarking CUDA with md5 calculates everything in millions-of-md5-hashes-per-second. That’s one computer, using consumer (albeit high-end) equipment. It wouldn’t take long to bruteforce that.
What if the password requirements were only a-zA-Z but SEVEN characters? 1,028,071,702,528 combinations. An order of magnitude more combinations, but with very lax character requirements.
Sysadmins, stop terrorizing us with your crazy password complexity requirements! If you want your passwords to be safe, make them long! A 12 to 20 character letter-only password can be far easier to memorize AND significantly stronger.
Comments (1)1 Comment »
RSS feed for comments on this post. TrackBack URL
All passwords are not created equal. Sysadmins enforce strict requirements to help prevent stupid passwords, not to play games with combinatorics.
Most attacks are shallow, searching for weak passwords across a large number of accounts or systems. Case in point: the constant bombardment of SSH connections that any computer with an exposed SSH daemon receives. Strict requirements help protect a system from being vulnerable to these “drive-by” attacks by shoring up the minimum password strength on the system.
From the perspective of someone trying to gain access to a particular account, your math is insufficient. Searching a-z will only find passwords that exactly follow the minimum requirements; if someone uses a capital letter or symbol when not required by the sysadmin, they would not find it. Thus, they would have to check capital letters and symbols anyways if they want to be sure.
While some sysadmins go too far (e.g. requiring changes every 10 days), I think a requirements like 8+ characters, lower case, upper case and symbols, not based on a dictionary word or their account name, are all reasonable. It doesn’t matter how long it would take to crack any password of length 9 if the password is “butterfly”.
Comment by Michael Melanson — October 26, 2008 @ 8:29 am