Monday, October 24, 2011

On Password Strengths

It annoys me considerably when I am signing up for something and the form insists that if my password does not contain capital letters or numbers, or some special character, then it is somehow an inferior password. The strength in a password lies not in the characters it contains, but rather in the characters that it could contain. Therefore, if a password contains only capital letters, for example, but could contain small letters or numeric characters as well, then any brute force attacker will not know this, and would waste considerable effort testing passwords that contain those small letters of numeric characters.

It is especially annoying when I generate a completely random list of letters and numbers for use in a password, and then have the signup form tell me that my password is weak, despite the fact that by some random chance, it has no capital letters (something which can happen on average once in 167 passwords with the algorithm I typically use). My passwords typically have an entropy between 36 and 95 bits, which is strong enough for most purposes (the average person's passwords typically have entropies in the twenties.)

(On a nice informative side note: the aesthetically pleasing arrangement of letters and numbers that forms part of the background to the header on this page was generated by the same Matlab script I originally wrote to generate passwords for me.)

If you enjoyed this post, then don't forget to like, tweet, +1, or upvote on reddit. If you have any questions, comments or complaints, post them using the form below.
. . . . . . . . . . . . . . . . . . . . . . . .

No comments: