Re: Basic password checking

I don't agree. In fact, if you use ba1@a1@a1@a1@b you are stuck again with the same problem: the password is full of similar characters, but... acceptable.

Yes, and? Because you already accept passwords with only N characters, you shouldn't reject a password of N + k characters because there's repetition in the final k characters. If it's ok for the final k characters to not be there, they can't make it easier to guess the password if they are there.

If ba1@a1 doesn't contain too much repetition, and hence is save, then ba1@a1@a1@a1@b should be save too. I mean, it doesn't get easier to break in your house if you add a lock on your door, even if that lock uses the same key as one of your other locks? It may not contribute much, but it doesn't make it go from save to unsave.

Abigail

Comment on Re: Basic password checking

Replies are listed 'Best First'.
I see the light! and a new question [Re: Re: Basic password checking] by bronto (Priest) on Jul 31, 2003 at 17:10 UTC
Wow! After discussing your point of view with a System Administrator friend of mine (in Italian, that made things far easier to understand), I finally get your point! What my friend said to make me understand your point was: se la lunghezza minima della password è 6, il tuo livello di sicurezza è quello dato dalle password di lunghezza 6, non da quelle più lunghe; quelle più lunghe aggiungono qualcosa in più, ma la sicurezza dipende da quanto sono sicure le password più corte that put in English sounds like: if the minimal length for your passwords is 6, then your security level is the one that 6-character long passwords give, not the one given by longer passwords; longer passwords add something more, but security depends on how secure are the shortest passwords allowed. So, actually, if the minimal length allowed for a password is N and we have an M>N password, it should be considered secure if we can find at least one secure N-subset of it. Right? Thanks for pointing me to the right direction, and since I am here I'd add a new question How much strength would add to the algorithm, without complicating it too much, to impose that an M-character long password should contain p*M different symbols (e.g.: p=2/3)? Ciao! `--bronto` The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway). --John M. Dlugosz	[reply]

Replies are listed 'Best First'.

I see the light! and a new question [Re: Re: Basic password checking]
by bronto (Priest) on Jul 31, 2003 at 17:10 UTC

Wow! After discussing your point of view with a System Administrator friend of mine (in Italian, that made things far easier to understand), I finally get your point!

What my friend said to make me understand your point was:

se la lunghezza minima della password è 6, il tuo livello di sicurezza è quello dato dalle password di lunghezza 6, non da quelle più lunghe; quelle più lunghe aggiungono qualcosa in più, ma la sicurezza dipende da quanto sono sicure le password più corte

that put in English sounds like: if the minimal length for your passwords is 6, then your security level is the one that 6-character long passwords give, not the one given by longer passwords; longer passwords add something more, but security depends on how secure are the shortest passwords allowed.

So, actually, if the minimal length allowed for a password is N and we have an M>N password, it should be considered secure if we can find at least one secure N-subset of it. Right?

Thanks for pointing me to the right direction, and since I am here I'd add a new question

How much strength would add to the algorithm, without complicating it too much, to impose that an M-character long password should contain p*M different symbols (e.g.: p=2/3)?

Ciao!
--bronto

The very nature of Perl to be like natural language--inconsistant and full of dwim and special cases--makes it impossible to know it all without simply memorizing the documentation (which is not complete or totally correct anyway).
--John M. Dlugosz

[reply]