Password Complexity, Good or bad?
-
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
Exactly, never impose limits. Limits are bad. You want to do anything that you can to encourage length. Limits do the opposite.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
No reason at all not to use that.
Any password based system that doesn't allow you to use that is showing you that they are doing passwords wrong, they aren't salting and hashing your password, they are probably just storing your password as plain text in their shitty system.
-
@BRRABill said:
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
I've never heard anyone I'd considered a security person say this, that's what media and home users repeat, sure. Literally, outside of consumer stuff and hobby levels stuff, I've never heard a security expert or researcher suggest that. Having them in the pool, great. But using them over making things easy to remember universally I've heard as very, very bad and is one of the first things you learn about password security.
-
@BRRABill said:
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
-
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
-
Now, if you are randomly generating passwords with no hope or attempt to remember them... then go for super long, super random, huge character set. Give it as much variation and randomness as the computations can muster. Any shared password that we use we make super long and fully random and you force it to be copy/pasted which is necessary in a shared password situation. In that case, though, we actively want to discourage memorization as well.
-
@scottalanmiller said:
@Dashrender said:
@larsen161
I won't speak for JB, but for me - it's all around cost.But you can do that for free.
How? How can you do 2FA for free in an office scenario?
Something you know and something you have.
The something you know is the password.
The something you have is the part that costs money. It is not free.
-
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
-
@JaredBusch said:
The something you have is the part that costs money. It is not free.
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
Or that they MIGHT use, that's all that matters. Given that set, sure, some user might go nuts and ONLY use special characters in a pretty small set - but the smaller set is only useful to a hacker that knows what the smaller set is.
In reality, knowing a smaller set is the same as knowing the password. Think of it this way...
You have a one char password, the hacker knows your set, the set size, by definition, can only be one char, so knowing the set and knowing the password are the exact same thing in that case.
-
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
-
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
-
@BRRABill said:
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
Correct, a hacker is stuck attempting basically the full set, all the time unless they can social engineer you down to a subset, which is possible but hard to do and requires both a social AND a technical hacking attempt.
-
@BRRABill said:
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
Doing brute force attacks does happen, but it's almost always that last thing they would try today. For example: If you have the hashed passwords, many faster options are available. It's assumed that if you have the list of hashed passwords that you'll also know what algorithm(s) were used to create the hashes. Which allows them to create a list of hashes from known common passwords. All they have to do is compare the two lists of hashes and any matches mean that they then know the password.
I know many people just won't "grok" the next concept. Forcing the use of special characters (!@#$%^&*) often times makes "guessing" a password even faster than not forcing their use. For example, replacing the letter s with $. The fact that the hacker knows that use of special characters is a must, it reduces the number of possible passwords drastically, VERY drastically!
-
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
-
@Dashrender said:
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
That's my point... if the hacker knows the set size, they have you. If they don't, it's a big set. We use these weird thing of "if we only use lower case, our set size is X" but it isn't, the set size is much smaller. The full set of ANY password is really small. That's what people miss... all set sizes are small, knowing what the set size is is part of knowing the password.
-
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
-
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
-
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.