Don't password restrictions cause a reduction the possible passwords and reduce the search space if someone tried to try brute force?

  • 4
    When using smart restrictions that result in passwords that are harder to programmatically guess, no.

    The idea behind restrictions is to enforce a mixture of letter casing, special characters, and so on is that you arent allowing users to just type dictionary words all lower case into your password field.

    This at first thought, reduces the number of combinations, but really it just removes the bottom of the barrel possibilities from occurring in your password store. This raises the security bar overall.

    Let us not forget salting either..
  • 5
    Thats one reason to use dynamic password restrictions. For example, take this: Password security should exceed 60^8 (167961600000000). Password security is X^Y where X = (+26 lower, +26 upper, +10 digits, +30 special), Y is length.

    That would mean for example Pshey123 would be accepted. but also for example evhujdrebni (11 lowercase chars) as 26^11 is larger than 60^8. Also this would be accepted: 554894318067588 as 10^15 > 60^8.

    Also password security should be set to the worthness of account. For example, a regular user could have security = 26^6, while an local admin could have like 50^7 and a global admin need like 60^8.

    That makes it harder for attacker to deduce which passwords are invalid from beginning. If the password security requirement for admins never is communicated to public, the attacker has to attack using the limits of user, which is a much larger search space.
Add Comment