Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
codeheap834yWhen using smart restrictions that result in passwords that are harder to programmatically guess, no.
The idea behind restrictions is to enforce a mixture of letter casing, special characters, and so on is that you arent allowing users to just type dictionary words all lower case into your password field.
This at first thought, reduces the number of combinations, but really it just removes the bottom of the barrel possibilities from occurring in your password store. This raises the security bar overall.
Let us not forget salting either..
Thats one reason to use dynamic password restrictions. For example, take this: Password security should exceed 60^8 (167961600000000). Password security is X^Y where X = (+26 lower, +26 upper, +10 digits, +30 special), Y is length.
That would mean for example Pshey123 would be accepted. but also for example evhujdrebni (11 lowercase chars) as 26^11 is larger than 60^8. Also this would be accepted: 554894318067588 as 10^15 > 60^8.
Also password security should be set to the worthness of account. For example, a regular user could have security = 26^6, while an local admin could have like 50^7 and a global admin need like 60^8.
That makes it harder for attacker to deduce which passwords are invalid from beginning. If the password security requirement for admins never is communicated to public, the attacker has to attack using the limits of user, which is a much larger search space.