|
|
|
|
|
|
by KeytarHero
2966 days ago
|
|
|
Not necessarily. "aaaaaaaaaaaa", "password1234", and "pennsylvania" are all 12 characters, but they're all insecure. These might seem like stupid passwords that nobody would use, but if you enforce a minimum password length as your only requirement, then I guarantee some user is going to use something like this. I agree that length is generally much more important than anything else - but it's not the only factor. Long passwords can be insecure too. Unfortunately it's not easy to validate what exactly what makes an insecure password, and as a result we get stupid requirements that prevent some very good passwords (e.g. diceware-generated passwords). |
|
|
However, outside of the above caveats, it's a common misconception that more complex is more secure. Which of these is harder to crack?
catzzzzzzzzzzzzz
db0mcgn20y64zzn7
Since an attacker is unlikely to arrive at either of these through a dictionary or heuristic, they will take roughly equally as much time to brute force.
When you force users to comply with arcane password policies, a high percentage of them are going to build their passwords in very predictable ways that are easy to code into a heuristic, like replacing "o" with "0" or something. These kinds of changes add no security value and are just extra work/bother for the users. With the length requirement, it's unlikely they're going to think of a dictionary word off the top of their head that is long enough (how long did you have to think about it to get pennsylvania?), and thus, on average, you're more likely to get more passwords that are a couple of words, or a phrase, or something that is a lot harder to dictionary attack. Once you break away from the dictionary, complexity doesn't matter, only length.