in reply to Re^3: Password strength calculation
in thread Password strength calculation

You'd be right if people randomly picked a password from the entire key space (picking with a uniform distribution). But if you allow passwords with a length of 4 - 10000 characters, with no restriction on the character set, there will be people that pick a four character password, with all lowercase ASCII letters.

And attackers know that password picking cracking is more than math. Psychology plays a role as well. They will try "dictionary" attacks first, because people pick short existing words far more often than you would get by picking a random element from the total set of allowed passwords.

Replies are listed 'Best First'.
Re^5: Password strength calculation
by BrowserUk (Patriarch) on Jan 20, 2012 at 23:25 UTC
    They will try "dictionary" attacks first,

    Why? When it takes 17 seconds to eliminate all the 6-character alphanumeric possibilities on a single gpu, you might as well run it anyway.

    Unless you know for sure that you can exclude them, in which case, why not save a few cents.

    Yes, a minimum length is a good idea, but 4, 6 or 8 simply isn't enough to make the slightest difference. You aren't even vaguely affecting anything until you get to at least 12-chars these days.

    The more logical approach would be to exclude all known words (in all languages). But if the attacker knows you are doing it, you've still helped rather than hindered him.

    In the end, any known restrictions simply help the attacker.

    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

    The start of some sanity?
[reply]
      Wait, you're saying disallowing people to pick passwords that an attacker can crack in 17 seconds helps an attacker?

      That's a logic I cannot phantom.

[reply]
        Wait, you're saying disallowing people to pick passwords that an attacker can crack in 17 seconds helps an attacker?

        Yes. It is 17 seconds of work he doesn't have to do.

        If don't have a length restriction, the majority of people will still use more than that and he has to look.

        If you do have a length restriction, he no longer has to.

        It's not much, but combine that with other restrictions and you are simply reducing the search space.

        That's a logic I cannot phantom.

        Sure you can.

        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?
[reply]

In Section Seekers of Perl Wisdom