On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:
On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia@gmail.com> wrote: ....
The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember.
Firstname1234! is very easy to guess, and meets complexity and usual length requirements.
Obligatory xkcd reference: http://xkcd.com/936/
Thanks; you saved me the trouble. There's a discussion of the topic going on right now on a cryptography mailing list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want. Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html I should add that except for targeted attacks, strong passwords are greatly overrated; neither phishing attacks nor keystroke loggers care how good your password is. I just went through some calculations for a (government) site that has the following rules: Minimum Length : 8 Maximum Length : 12 Maximum Repeated Characters : 2 Minimum Alphabetic Characters Required : 1 Minimum Numeric Characters Required : 1 Starts with a Numeric Character No User Name No past passwords At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! Under the plausible assumption that very many people will start with a string of digits, continue with a string of lower-case letters to reach seven characters, and then add a period, there are only ~5,000,000,000 choices. That's not many at all -- but the rules look just fine... --Steve Bellovin, https://www.cs.columbia.edu/~smb