10

I thought the strength of a password depended on the total number of possible combinations. Therefore, allowing longer passwords should be safer because you then have more possibilities. But why do some systems set a minimum number? Doesn't this simply reduce the number of possible combinations?

AviD
  • 72,708
  • 22
  • 137
  • 218
Shawn
  • 201
  • 1
  • 7

4 Answers4

20

Doesn't this simply reduce the number of possible combinations?

yes, but not significantly.

As an analogy, consider passwords that are combinations of uppercase letters A-Z only, with max length of 8. Total # of possibilities = 268 + 267 + ... + 26 + 1 = 217.2 billion. If you restrict this to a minimum length of 6, that eliminates passwords of length 5 or less, which have a total # of possibilities of 265 + 264 + ... + 26 + 1 = 12.4 million, a tiny fraction of the larger password space.

Jason S
  • 394
  • 1
  • 8
13

Even if you allow 128-byte passwords, most people will choose something 10 chars or less. Some even will choose something as short as 1-3 chars. Hackers know this and brute-force those possibilities first. Indeed, in most brute-force hacking programs, they naturally come up first as they start with shortest possibilities and build to longer ones. Therefore, a minimum.

To your point, it does minimize the total possibilities, but not by much, as the LSB's don't amount to much compared to the MSB's.

2

I would say it reduces the amount of easy-to-crack passwords in the system.

1

No, because the longer the password, the more time it takes to crack. By setting a minimum length the designer is forcing the user to make a longer password.

http://www.explainxkcd.com/2011/08/10/password-strength/

Drazisil
  • 119
  • 4