When you create a password, it's often recommended to use a variety of character mixed with numbers, special characters, upper and lower case, etc. because all these things create a higher level of diversity and thereby the number of combinations required to brute-force determine your password.

Not only is it often suggested, though, it's often <i>demanded</i>.  Guess what, as soon as you make those things mandatory, you've just made everyone's passwords weaker.

When you add parameters of what a password must be, such as limiting the length to a specific number, requiring a certain special character or characters and require upper and lower case, those are all guaranteed to be in the password now, significantly limiting the combinations required, which was the entire point of enforcing it from the start.

Every requisite is essentially a hint.  Take a look at this Government of Canada registration form:
Registration form

Just from this, you know that for any given password you know the approximate length, the variety and even the set of available special characters from which to select.

As an example of the issue, let's use a 4-digit pin number.  Let's say our pin number is 1862

There are 10,000 combinations.  Meaning there's a 1/10000 chance of randomly guessing the number.

Lets add a restriction now: each number must be different so predictable options such as 9999 are weeded out. Well then, we now have only 5,040 combinations.

Hey, we don't want pin numbers like 1234 so let's not allow 3 consecutive numbers either.  Well, we're down to 4,410 combinations.

We also want to make the numbers varied, so let's require at least one digit to be between 0-2 and another to be between 7-9.  That brings us down under 1,000 combinations.

All in all, our limitations have weakened the pin number 1862, which fits all requirements, by more than 10-fold.  At the cost of eliminating weaker passwords, we've weakened all passwords.

Posted by Ellyoda Sun, 05 Oct 2008 08:50:01 (comments: 6)
Sun, 05 Oct 2008 09:16:10
I've been lucky enough to only have one password stolen.

On RuneScape no less. Nyaa
Sun, 05 Oct 2008 11:06:01
Can you see all out passwords here Yo? I made mine especially as I thought you could see it Happy
Sun, 05 Oct 2008 13:38:07
The concept of a maximum length baffles me.
Sun, 05 Oct 2008 17:51:49
It annoys me when they specify limits on your password.
Sun, 05 Oct 2008 19:00:22
Passwords are stupid. We need to have retinal and/or thumb print scanners built into our PCs and ATMs instead.
Sun, 05 Oct 2008 19:13:36
Actually, GG, I can only see the one-way encrypted version of your password, which for the purpose of logging in is useless.  I wouldn't be able to see the plain text version.

Maximum length is in relation to the database.  You want to limit the amount of useless data as to not clog up your server.  In the case of a password, though, there really shouldn't be a character limit because most encryption algorithms automatically make the password a set length (64 characters for 64-bit encryption) regardless of whether it's shorter or longer.
Log in or Register for free to comment
Recently Spotted:
robio (7m)
Login @ The VG Press
Remember me?