Re: regex elegance contest

Contrary to what many people believe, putting such (arbitrary) conditions on the format of passwords actually makes it easier to crack them.

If you require the passwords to be at least 5 characters wide, you have decreased the number of possible passwords by approx. 63**4 (almost 16 million), i.e. all paswords with 4 or less characters of the range a-z A-Z 0-9 and "empty".

Requiring at least one lower case character further reduces the password-space by 59% (37/63, i.e. none of A-Z 0-9 and "empty" are allowed in that position), id. for the required upper case character, and asking for at least one number finally lowers the total number of possible passwords by another 84% (53/63 - none of a-z A-Z and empty are allowed). In total the combination of these three conditions shrinks the number of allowed passwords to about one third of what was possible without these restrictions.

My calculations may be a bit off as I did not take into acount the position of the restricted characters, but by and large it will be OK.

There will still be a large number of possible passwords (which will probably defeat a brute force attack), but why limit the password-space, esp. since these rules do not guarantee "good" passwords at all? A typical birthday "8Jun1959" is a good password, whereas all say that one should avoid such easy to guess passwords.

The only good password is therefore one which is randomly generated.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Comment on Re: regex elegance contest - validate a pw

Replies are listed 'Best First'.
Re: Re: regex elegance contest - validate a pw by hessef (Monk) on Feb 11, 2004 at 17:34 UTC
"The only good password is therefore one which is randomly generated." Such passwords are extremely hard to guess, but there's a weakness: Giving out random passwords is just asking for people to write those hard-to-remember passwords down on Post-it(TM) notes. If someone sneaks into the office and finds a few written down passwords, the need to guess is eliminated completely.	[reply]
Re: Re: Re: regex elegance contest - validate a pw by CountZero (Bishop) on Feb 11, 2004 at 20:24 UTC
All too true, but you don't even need to look at your co-workers Post-It™ notes. Internet Explorer will remember your passwords for you! (and allow anyone in) CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]
Re: Re: regex elegance contest - validate a pw by mutated (Monk) on Feb 12, 2004 at 15:54 UTC
Contrary to what many people believe, putting such (arbitrary) conditions on the format of passwords actually makes it easier to crack them. I suppose technically you are reducing the keyspace an attacker would need to attack the gain all passwords. The goal of something like this though isn't to try and make individual passwords harder to crack, but to limit the amount of passwords and attacker can gain easily (He's not going to try the entire keyspace regardless, it's to big). You want to limit the effectiveness of dictionary attackers, where an attacker can gain 80% of your password list in half an hour because all your users use common words as their passwords.	[reply]
Re: Re: Re: regex elegance contest - validate a pw by CountZero (Bishop) on Feb 13, 2004 at 07:08 UTC
Yes I understand that, but the artificial --IMHO-- restrictions do not guarantee that common words are excluded as probably most users will still use a common word, capitalize the first character and add a number at the end; or use their birthday or anything equally silly. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]

In Section Seekers of Perl Wisdom


The stupid question is the question not asked
	PerlMonks

Re: regex elegance contest - validate a pw