Re: Password Generation and Module Multiplication

What all these password complexity rules do is to actually reduce the set of possible passwords by several orders of magnitude and thereby make brute force attacks many times easier.

The only way to avoid users using easy to guess passwords (their user name, or date of birth, or ...) is to not allow them to choose their own password but provide them with a random password they have to use. For real security, you cannot trust the user to come up with a strong password.

As far as a computer security is concerned "ADAM" is as good a password as "uhulhbjGKVOILHS885AS72JGHS65G33".

Just by spelling out the complexity rules of the password,you have made it hackers soo much easier. The only good rule as far as security is concerned is "there are no rules, other than 'throw some random characters together'.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Comment on Re: Password Generation and Module Multiplication

Replies are listed 'Best First'.
Re^2: Password Generation and Module Multiplication by raybies (Chaplain) on Nov 24, 2010 at 13:29 UTC
Not to mention you can't remember strong passwords so you tend to write them down. I once had to generate a password for some military app that was so bad, it had to be some 20+ characters without any common words, nor could you use common numbers and symbols inplace of letters, so a password like, "P@$$W0rd" wouldn't work. I ended up writing it down somewhere... in my own special code I made up so as to confuse anyone who saw it (mostly inspectors who will write you up if they find passwords written on papers glued to monitors).	[reply]
Re^3: Password Generation and Module Multiplication by CountZero (Bishop) on Nov 24, 2010 at 14:04 UTC
Yes, that is absolutely the downside of strong random passwords: nobody can remember them, therefore writes them up on a piece of paper and then tapes that to his/her monitor! As soon as you write something fool-proof, along comes a better fool. CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James	[reply]
Re^2: Password Generation and Module Multiplication by ysth (Canon) on Nov 28, 2010 at 08:11 UTC
Brute force attacks against a single password, granted. But without complexity rules, a letter-only brute force attack or rainbow table attack against a list of hashed passwords will too easily pick off the lazy users. I'd assume the complexity rules are really designed to protect against this case. -- A math joke: r = \| \|csc(θ)\|+\|sec(θ)\|-\|\|csc(θ)\|-\|sec(θ)\|\| \| Online Fortune Cookie Search Office Space merchandise	[reply]
Re^3: Password Generation and Module Multiplication by locked_user sundialsvc4 (Abbot) on Nov 29, 2010 at 13:42 UTC
That, basically, is the case. The number-one most often used password is: `password`. Close behind them are: `enter, secret.` Nevertheless, it doesn’t work. Enforcing complex password-rules simply causes more passwords to be written down. When a system is broken into, it usually is not from “forcing” a password. There are too many “other” ways into a complex system.