Re^7: Password strength calculation

Wait, you're saying disallowing people to pick passwords that an attacker can crack in 17 seconds helps an attacker?

Yes. It is 17 seconds of work he doesn't have to do.

If don't have a length restriction, the majority of people will still use more than that and he has to look.

If you do have a length restriction, he no longer has to.

It's not much, but combine that with other restrictions and you are simply reducing the search space.

That's a logic I cannot phantom.

Sure you can.

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

Comment on Re^7: Password strength calculation

Replies are listed 'Best First'.
Re^8: Password strength calculation by JavaFan (Canon) on Jan 21, 2012 at 10:26 UTC
If don't have a length restriction, the majority of people will still use more than that and he has to look. Sure, but security should work for everyone, not just the majority. Without a length restriction, a significant minority will pick short passwords. If there are 12 people that can access my credit card information, I'm not satisfied if the majority of them picks a long password. I rather want it enforced that all of them have a long password; I think that outweights the 17 seconds an attacker gains.	[reply]
Re^9: Password strength calculation by BrowserUk (Patriarch) on Jan 21, 2012 at 10:28 UTC
You are still missing the point. If you are going to apply a minimum, then it should be at least 12. By enforcing 6 or 8, you are encouraging unsafe passwords. With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice. The start of some sanity?	[reply]