[abustamam]

Somewhat unrelated, is there any technical reason certain punctuation might be banned? I can understand maybe not allowing letters with diacritics or other NON-ASCII chars but why would a system reject an @ sign or bracket > for example?

[GoblinSlayer]

Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.

[abustamam]

Sorry I'm a bit lost here. Are you saying requiring a special character and a number are dumb password policies? Wouldn't charset AND length make for exponentially higher entropy? 52 (or 62 for digits) to the length power vs (62+20 special chars) to the length power? Or am I missing something?

[ajnin]

I guess what they're saying is that, for example, a password of length 12 has about 71 bits of entropy if using an alphabet of 62 characters, and 76 bits with an alphabet of 82 characters. But if you only increase the length by 1 you already get 77 bits with 62 characters only. So length beats adding special chars in that sense.

[abustamam]

Gotcha, I guess my question is, why not both? Is it the requirement of special chars over a min-length password that is in question here? Like the system is like "minimum 8 char password but also three special chars, ancient heiroglyphs, and the blood of your firstborn child" when you can omit the special chars and just have min 16 char password for the same security benefit?

[GoblinSlayer]

Not very meaningful to create yourself a problem to heroically overcome it later. You can already create enough problems unintentionally.

[abustamam]

I don't quite follow your reasoning. All bugs are (usually) unintentional and created by the programmer.

[InitialLastName]

Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.

[abustamam]

This is true, but I think the argument is that for maintainers of the system, it's more work to allow more char options when it (should be) more trivial to change MAX_PASS_LENGTH from 12 to 32. Like, if you're gonna add more restrictions, make it the ones that encourage, not block, more secure passwords.

[angst_ridden]

A lot of the restricted stuff is cargo-cult fear of symbols that could be used in SQL-injection or XSS attacks.

A properly-coded system wouldn't care, but the people who write the rules have read old OWASP documents and in there they saw these symbols were somehow involved in big scary hacks that they didn't understand. So it's easier to ban them.