Nathan Tyree: Passwords

Password strength requirements create weaker passwords.

Imagine a three character password that allows only digits 0 through 9. There are 1000 possible passwords in this system. Now change the system to allow letters and numbers. The new system allows 46,656 possible passwords. Now add a strength requirement. Require that there must be at least one number and at least one letter. With the new strength requirement the number of possible passwords drops to 45,656. We have excluded 1000 possible passwords and in doing so created a weaker system.

It seems to me that it is a good idea to allow as many character types as possible (letters, upper and lowercase, numbers, special characters) but a bad idea to require the use of any of them.

Tell me what the flaw in my thinking is.

Password strength requirements create weaker passwords.

Imagine a three character password that allows only digits 0 through 9. There are 1000 possible passwords in this system. Now change the system to allow letters and numbers. The new system allows 46,656 possible passwords. Now add a strength requirement. Require that there must be at least one number and at least one letter. With the new strength requirement the number of possible passwords drops to 45,656. We have excluded 1000 possible passwords and in doing so created a weaker system.

It seems to me that it is a good idea to allow as many character types as possible (letters, upper and lowercase, numbers, special characters) but a bad idea to require the use of any of them.

Tell me what the flaw in my thinking is.

The truth is that most systems that will have requirements as you mention will also have minimum password lengths, case sensitivity, and additional characters available. All of these serve to create a huge well of passwords that increase the time required to match by a computer. This also assumes you have the ability to perform such an attack bypassing security features limiting attempts and monitoring access patterns.

So, even if your point stands mathematically, it?s a drop in the ocean compared to forcing users to actually create a stronger password.