1

An annoyance of mine is when websites try to force me to use characters or a password policy that makes it difficult for me to remember (e.g. a number, lower-case, upper-case, special char, 5 - 10 characters)...

What would the pitfalls be of simply having a password strength calculator and only allow passwords that are "strong"?

For instance, maybe one person only likes using words so you could allow "thehorselikestodrinkwater", since it's length makes it strong, but also allow "!Pf-4", since it's complexity makes it strong.

TruthOf42
  • 845
  • 1
  • 7
  • 12
  • It annoys me too, which is why I feel most sites should have a password strength advisor, but not actually forbid passwords they consider weak. – paj28 Feb 07 '14 at 20:59

2 Answers2

3

The problem is the programming complexity. Testing for the presence of mixed case, numbers, and punctuation is extraordinarily simple.

Testing password strength in the real, practical sense is surprisingly difficult. What you really care about is whether or not that password will get cracked, not how many special characters it contains. The password apwyfzsdjn is dramatically more secure than Baseb4all!, even though most password testers will prefer the latter.

The project zxcvbn is a Javascript-based password tester that attempts to do reasonable password strength analysis based on complexity and (more importantly) dictionary lookup, and certainly does a better job than the "must contain punctuation" sort of testers.

But it's a hard problem to solve.

tylerl
  • 82,665
  • 26
  • 149
  • 230
1

In general complexity is not as important as length, however complexity plus length increase protection against pure brute force password attempts.

Your example of !Pf-4 would be cracked quickly regardless of "complexity" because the number of tries to guess it would maximally be 7,820,126,495 (95^5 + 95^4 + 95^3 + 95^2 + 95) 95 being the number of possible characters. A core i7 will crack that in no time.

For every increase in password length, you increase the number of guesses required by a magnitude of power. The real problem is that most password crackers who know what they are doing use customized dictionary attacks along with brute force attacks which can compromise even long pass phrases fairly easily.

It can also depend on what cryptographic hash was used to hash the passwords. There are known security issues with some hashes like MD5 and there are stronger hashes like bcrypt that are considered "slow" hashing algorithms because they require more time to check each hash.

I would recommend you check out this article on password cracking.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/

JadedCore
  • 145
  • 9