Nathan Tyree: Passwords
Password strength requirements create weaker passwords.

Imagine a three character password that allows only digits 0 through 9. There are 1000 possible passwords in this system. Now change the system to allow letters and numbers. The new system allows 46,656 possible passwords. Now add a strength requirement. Require that there must be at least one number and at least one letter. With the new strength requirement the number of possible passwords drops to 45,656. We have excluded 1000 possible passwords and in doing so created a weaker system.

It seems to me that it is a good idea to allow as many character types as possible (letters, upper and lowercase, numbers, special characters) but a bad idea to require the use of any of them.

Tell me what the flaw in my thinking is.

Comments (8)