[lmkg]

There is a fundamental difficulty when trying to implement privacy: A limit on the disclosure of information is itself a disclosure of information.

A good privacy design needs to confront this issue directly. Sometimes there's nothing to be done. I think in some cases it's mathematically unsolvable (cf. Cynthia Dwork's paper on Differential Privacy). But an explicit consideration can at least surface some trade-offs. The more fine-grained and selective your redactions, the more information they reveal.

[qmmmur]

It makes me think of password requirements. Isn't it bad to earmark a password as requiring certain things rather than to let the possibilities be completely open?

[function_seven]

From a strictly mathematical view, yeah. Requiring that certain character classes exist in the password will shrink the search space for that password.

But: (1) only a tiny teeny little bit, and (2) the gains in password complexity are probably worth a lot more.

Imagine you have a site that allows numeric PINs between 4 and 6 digits. And another site that requires exactly 6 digits.

Technically, the search space is larger for the first site. An attacker would have 1,110,000 possible codes to check, whereas the 2nd site has 1,000,000. But ensuring that all users are in the 1,000,000 search space is worth it to prevent some users' 4-digit PINs being cracked.

[earenndil]

Consider two websites: website A and website B. Website A places no limitations on passwords except that they all have to be from the base64 character set, and be 1-30 characters in length (inclusive). Website B says all passwords must be at least 8-30 characters long and contain one number and one special character.

Technically, there are 1556820866911379157697368408533647424628560378091278400 possibilities for a given password from the first site, and only 1553740989173808677121103544993503115087947728215015424 for the second site. That's only 0.2% fewer total passwords. However, consider that the typical user's password is probably 6-8 characters and contains only lowercase letters; that means that most users from the first website have only 217167790528 possibilities, while users from the second website--even assuming they only go the bare minimum of 6 lowercase characters + one special character + one number--have 345985669120 password possibilities, which is about 60% more. And that's with the artificial base64 limitation; if you open it up to the full complement of 30 special characters it's significantly more.

[zie]

The US organization NIST finally got the memo, and now recommends no password requirements, and no length limits, and encourages long, random passwords. My passwords are generally 64 chars of random, when I can get away with it.

[strbean]

Some day we'll start seeing password requirements like:

> Your password must be exactly 6 characters

> The first character must be one of: a, b, c, d

> The second character must be one of: !@#$

> ...