in reply to Demonstrate Weakness of "Standard Format" Passwords

It is indeed very silly to put such artificial constraints on passwords. As a matter of fact any constraint on the composition of passwords will dramatically reduce the keyspace and is therefore a bad idea.

On the other hand you cannot entrust users to choose their own passwords or you get names of pets, birthdates and abc123 all over the place.

Only fully random passwords offer any real level of security but nobody will be able to remember them and then start writing them on scraps of paper which are "hidden" under the keyboard.

I did have some success with the Crypt::GeneratePassword module which generates "pronounceable" random passwords. The keyspace is of course not as large as a truly random password generator but for all but the most critical application it seems OK.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Replies are listed 'Best First'.
Re^2: Demonstrate Weakness of "Standard Format" Passwords
by sauoq (Abbot) on Nov 11, 2005 at 23:53 UTC
    As a matter of fact any constraint on the composition of passwords will dramatically reduce the keyspace and is therefore a bad idea.

    I strongly disagree with this assertion for one particular constraint... Disallow "words". I.e. dictionary words, names, pop culture words, jargon, etc. That one's a must and crack (or your favorite replacement) with a good set of dictionaries should be run regularly to make sure it is enforced. There are some other good restraints: disallowing dates, phone numbers, and bible verse references for instance.

    -sauoq
"My two cents aren't worth a dime.";
[reply]

In Section Cool Uses for Perl