6

For example, OWASP considers 10-128 characters, with lower, upper, digit, and special characters (I don't get why there's an upper limit). Using the OWASP's minimum guidelines and assuming there are 28 special characters, the entropy is 3e19. But with a 16 character password with only lowercase letter is 4e22. Throw in upper case and it's 2e27. Computers can calculate at a pretty fast rate but whatever it is, it lowers that entropy, meaning that the difference isn't 22 zeros to 19, but closer to 5 to 2, i.e. the differences are huge.

If length is a concern, 12 lower + upper characters is 3e20. Other big companies still force people to use minimum 8-length with special characters. Why force people to use special characters - and to an extension numbers - when another 2 characters is not only more secure but far easier to remember? Why are they so anal about this?

Some people argue that long-length passwords are bad because people just use real words so that limits entropy greatly. To that I would say same thing with shorter passwords, hence dictionary + rule attacks. Forcing numbers and/or special characters just results in passwords like [word]1!, or worse, Password1!. Can someone explain either why special characters are a necessity in secure passwords or why it is considered that way despite evidence against it.

Anders
  • 65,052
  • 24
  • 180
  • 218
Geoff Lee
  • 159
  • 1
  • 1
  • 6
  • 1
    This is not the case. What is your reference for your initial assumption? Some people think ? Because they are easily forgotten ? – J. Chomel Feb 26 '17 at 06:51
  • I think the question is legit. And if you only look at the possible combinations, it is mathematically correct, that a longer password has more combinations than a password with a bigger base. So I also do not know, why they require special chars. ...because it is the default setting of the operating system. And if you change the default setting, you must have a good reason and argue WHY you do it. To complicated for IT Department. Take a look at this: https://www.youtube.com/watch?v=Sh-KDL_yRlA – cornelinux Feb 26 '17 at 07:14
  • AFAIC, this is cargo-cult programming. Somebody read from somebody (citation: Bill Burr, NIST, 2003) that "secure" passwords use every combination of character sets, rather than *potentially* allowing *any* combination of character sets - which is all that really matters. IMO, a reasonable length req't (min 10-12) with at least one or two non-alpha characters would ensure entropy, and length means it's not just *a* dictionary word, but some unknown multiple of them, with who knows what in between. But it's become an ingrained bit of tribal wisdom and actual math has little to do with it. – SirNickity Jan 25 '22 at 23:59

3 Answers3

2

It's UX. Requiring mixed characters makes it less likely for a user to use a common word or phrase, which would make it highly susceptible to a dictionary attack. The additional entropy is a bonus; as you point out, additional characters would be just as effective.

John Wu
  • 9,181
  • 1
  • 29
  • 39
  • 3
    I made the argument above but I'll say it again. Adding complex rules doesn't encourage users to create better passwords. You still get passwords that are susceptible to dictionary attacks, except now you just have to apply a rule to add numbers/punctuation at the start and/or end. That versus many words. Many words is better than 1 word with obvious use of non-alphabetic characters. Are there studies that prove that the entropy rises when using OWASP rules over long character length? If not, then memorability trumps it. – Geoff Lee Mar 24 '17 at 04:08
  • I agree completely for the 80% use case. But if you took away *all* complexity rules, I'm pretty sure the bottom 20% of users would use a truly awful password such as their own last name, their user name, or even just "password." – John Wu Mar 16 '18 at 19:04
1

It's because if you don't force people to use special characters, they likely won't, the same being true of uppercase, and numbers. If you force some combination of these, then you will always increase entropy, because you're increasing the number of characters that could possibly be in each character of your password.

No matter the situation, having a special character and/or number requirement will always make the password harder to break. p@$$w0rd is harder, marginally, than password.

If the question is, is it worth the extra effort and annoyance for your customers, that's a different matter.

Obscure
  • 11
  • 2
0

Considering only the scenario of a brute-force attack that may be true. However, when we consider other password guessing techniques, this may be untrue.

When allowed/forced to use a lowercase password of an acceptable length (for high entropy), the password should be random text. In a real-world scenario, an average user will use words or sentence from a language thus reducing the entropy since we know that entropy is the unpredictability.

Its a question between $33th1sP@ssw0rd or seethispasswordwhichislongerbutnotsecureenough.

Tariq B.
  • 101
  • 2
  • 2
    I made the argument that those rules don't create passwords like `$33th1sP@ssw0rd`, then create passwords like: `Horses1!`. Some of the most common techniques is using a dictionary attack with rules like adding numbers/punctation at the start or end and capitalizing the first or last letter. If you think about it, more words is still more secure, even after factoring laziness. – Geoff Lee Mar 24 '17 at 04:02