0

I came across an interesting password policy online recently:

"Please be sure to enter a password that meets the following criteria:

  • must be 8 characters long
  • must not be based on dictionary words
  • must be different from previous 6 passwords
  • must contain at least 1 uppercase character (A-Z)
  • must contain at least 1 lowercase character (a-z)
  • must contain a leading letter (a-z or A-Z)
  • must contain at least 1 number (0-9)
  • may contain up to 2 special characters ($ or # only)
  • may not have repeating characters
  • must be different from user ID"

It seems to me that this narrows down the number of possible passwords so dramatically that it would take appropriately configured hackware all of two minutes to figure out someone's password. Is that approximately accurate?

Bill Horvath
  • 101
  • 2

1 Answers1

1

You're right, it is a really interesting password policy. Some of those rules are poorly defined. If I apply a loose definition, I think it doesn't narrow the number of possible passwords to the point of making them easy to guess, but there are problems with this list:

  1. Best protection of password is the length. If it really must be exactly 8 characters, that is really bad. I assume they mean 8 characters or longer. 8 characters isn't enough anymore in my opinion (even though this is recommended as a minimum everywhere). Increase to 10 or 12.
  2. repeating characters? I assume they mean right next to one another Who cares? This doesn't do much to improve the guessability of a password.
  3. Why only two special characters? Why limit it to # or &?? This makes no sense.
  4. Leading Letter? Again, WHY?
  5. No dictionary passwords is something I agree with, but how are they verifying it? Do they have a database of dictionary words?

total possible combinations:
(26 + 26 + 10 +2) ^ 8 = 281,474,976,710,656 exclude combinations without numbers:
(26 + 26 +2) ^ 8 = 72,301,961,339,136 exclude combinations without leading letter:
(10 + 2) + (26 + 26 + 10 + 2) ^ 7 = 4,398,046,511,104 exclude combinations with repeating characters: total possible - (64! / 56!) = 103,011,989,072,896

exclude dictionary words (words with 8 letters) round up to 10,000

final answer of how many passwords allowed: 101,762,979,777,508 So about 102 Trillion

mcgyver5
  • 6,844
  • 2
  • 26
  • 46
  • 2
    It means they aren't using a standard library for passwords but rolling their own. The restriction of $ and # confirms it. The repeating letters restriction is a 'feature' that the programmer thought up, so he does a very basic look-ahead search at each character to see if the next character is the same. The problem then is "what ELSE is poorly programmed in this security sub-system?" – schroeder Apr 25 '14 at 19:09
  • @mcgyver5: Per your questions: It's *exactly* eight characters, not 'or longer' (I tried.) No repeating characters ('pppp', etc.) means one less character to test in each position. As for the rest, you've got me! :) – Bill Horvath Apr 25 '14 at 19:18
  • 1
    Well, that is even goofier than I thought. A length restriction might mean they aren't even hashing the passwords. – mcgyver5 Apr 25 '14 at 19:39
  • 1
    @mcgyver5 Agreed, and the password field on the database is hard-coded at 8 chars (so, old). – schroeder Apr 25 '14 at 20:55
  • Any idea how long it would take to test the combinations? – Bill Horvath Apr 25 '14 at 22:15
  • depends if you are asking about testing the actual login form or cracking stored password hashes. If it is the web login form, then forever. If hashes, then it depends on the type of hash and the hardware being used to crack it. http://blog.codinghorror.com/speed-hashing/ really explains it well. – mcgyver5 Apr 26 '14 at 02:11
  • Interestingly, other than the restriction on allowable characters, the rest of the rules don't do much to the possible password space. There are 285,942,833,483,840 possible 64-character passwords of length 8 or less, so the rules only eliminate about a third of them. However, there are 6,161,234,432,565,770 possible passwords using the 94 printable ASCII characters, 95% of which contain a forbidden character. – Mark Apr 26 '14 at 04:42