The stupid question is the question not asked | |
PerlMonks |
Re: regex elegance contest - validate a pwby CountZero (Bishop) |
on Feb 11, 2004 at 16:16 UTC ( [id://328301]=note: print w/replies, xml ) | Need Help?? |
Contrary to what many people believe, putting such (arbitrary) conditions on the format of passwords actually makes it easier to crack them. If you require the passwords to be at least 5 characters wide, you have decreased the number of possible passwords by approx. 63**4 (almost 16 million), i.e. all paswords with 4 or less characters of the range a-z A-Z 0-9 and "empty". Requiring at least one lower case character further reduces the password-space by 59% (37/63, i.e. none of A-Z 0-9 and "empty" are allowed in that position), id. for the required upper case character, and asking for at least one number finally lowers the total number of possible passwords by another 84% (53/63 - none of a-z A-Z and empty are allowed). In total the combination of these three conditions shrinks the number of allowed passwords to about one third of what was possible without these restrictions. My calculations may be a bit off as I did not take into acount the position of the restricted characters, but by and large it will be OK.There will still be a large number of possible passwords (which will probably defeat a brute force attack), but why limit the password-space, esp. since these rules do not guarantee "good" passwords at all? A typical birthday "8Jun1959" is a good password, whereas all say that one should avoid such easy to guess passwords. The only good password is therefore one which is randomly generated. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law
In Section
Seekers of Perl Wisdom
|
|