3

Some years ago a sysadmin of large computing centre (on a campus) enforced the password of every single user to contain the character $ at an arbitrary position. They soon dropped this policy but I always wondered what could possibly be gained by this. Would this actually make passwords more secure or would it make them weaker?

Letting aside the human factor this would have on the memorability of passwords, my assumption was that this would have no effect on how it is to break a password since it is known that one of the characters is $. However, given that the position of the character and the length of the password were arbitrary, maybe there is more to it.

Can you shed some light on the effects of this policy and why anybody would enforce it?

bitmask
  • 585
  • 1
  • 5
  • 12

2 Answers2

3

You are basically reducing the overall entropy of your password, as one of the characters will always be known.

This effect is further amplified by the fact that most humans are predictable creatures. If you force them to place an arbitrary character somewhere in their password, there is a high chance that character will be the first or last character in the password.

  • 1
    Could you elaborate on your first point? Why is the entropy *reduced* if I append a given character to a previously chosen password? – bitmask Mar 15 '13 at 14:40
  • @bitmask Ahh, I actually meant reducing entropy compared to a random password of equal length. Sorry if it wasn't clear. –  Mar 15 '13 at 14:44
  • 2
    People don't want to type long passwords. If you enforce a policy of adding a dollar sign, they will react by choosing a _shorter_ base password, from a smaller set of possible base passwords -- hence reduced entropy. Appending a given character does not lower entropy when all other things are unchanged -- but other things are never really unchanged. The scarce resource of user patience is hard to expand. – Tom Leek Mar 15 '13 at 14:46
  • 1
    Or they'll choose a word that contains `S` and they'll replace it with `$`. My bet is on `$exyButt`. – Adi Mar 15 '13 at 15:35
3

When left to their own devices, people tend to choose weak passwords (e.g. the name of their children/mother/girlfriend/monarch). That's a fact of life. Educating users to the virtues of hard to guess passwords through randomness is a time consuming and exhausting task. It often seems easier and faster to somehow evict users out of their comfort zone, by forcing them to choose passwords in a set which will make it "by construction" more random. Most girlfriends don't have a '$' in their name, so the mandatory addition of the dollar sign will make the password "more random" -- or so it is hoped. In practice, though, people first think of the password they would like to have, then add (by appending) whatever it takes to appease the sysadmin; so they will put the dollar sign at the end, quasi-systematically. The password will not be "Gwendoline" but "Gwendoline$". Thus, the extra security is, at best, slight. And users will be less happy, which is, all other things being equal, a bad thing for security.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480