Hacker News new | ask | show | jobs
by GoblinSlayer 125 days ago
Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.
2 comments
abustamam 125 days ago
Sorry I'm a bit lost here. Are you saying requiring a special character and a number are dumb password policies? Wouldn't charset AND length make for exponentially higher entropy? 52 (or 62 for digits) to the length power vs (62+20 special chars) to the length power? Or am I missing something?
link
ajnin 125 days ago
I guess what they're saying is that, for example, a password of length 12 has about 71 bits of entropy if using an alphabet of 62 characters, and 76 bits with an alphabet of 82 characters. But if you only increase the length by 1 you already get 77 bits with 62 characters only. So length beats adding special chars in that sense.
link
abustamam 124 days ago
Gotcha, I guess my question is, why not both? Is it the requirement of special chars over a min-length password that is in question here? Like the system is like "minimum 8 char password but also three special chars, ancient heiroglyphs, and the blood of your firstborn child" when you can omit the special chars and just have min 16 char password for the same security benefit?
link
GoblinSlayer 124 days ago
Not very meaningful to create yourself a problem to heroically overcome it later. You can already create enough problems unintentionally.
link
abustamam 124 days ago
I don't quite follow your reasoning. All bugs are (usually) unintentional and created by the programmer.
link
pintxo 124 days ago
By not using special chars in the first place, you can be sure you will not be able to run into any (unintentional) bugs later.

And not using special chars is cheap, as by requiring a min-length of 13 instead of 12, you can get an even greater level of security.

link
InitialLastName 125 days ago
Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.
link
abustamam 124 days ago
This is true, but I think the argument is that for maintainers of the system, it's more work to allow more char options when it (should be) more trivial to change MAX_PASS_LENGTH from 12 to 32. Like, if you're gonna add more restrictions, make it the ones that encourage, not block, more secure passwords.
link