[abustamam]

Sorry I'm a bit lost here. Are you saying requiring a special character and a number are dumb password policies? Wouldn't charset AND length make for exponentially higher entropy? 52 (or 62 for digits) to the length power vs (62+20 special chars) to the length power? Or am I missing something?

[ajnin]

I guess what they're saying is that, for example, a password of length 12 has about 71 bits of entropy if using an alphabet of 62 characters, and 76 bits with an alphabet of 82 characters. But if you only increase the length by 1 you already get 77 bits with 62 characters only. So length beats adding special chars in that sense.

[abustamam]

Gotcha, I guess my question is, why not both? Is it the requirement of special chars over a min-length password that is in question here? Like the system is like "minimum 8 char password but also three special chars, ancient heiroglyphs, and the blood of your firstborn child" when you can omit the special chars and just have min 16 char password for the same security benefit?

[GoblinSlayer]

Not very meaningful to create yourself a problem to heroically overcome it later. You can already create enough problems unintentionally.

[abustamam]

I don't quite follow your reasoning. All bugs are (usually) unintentional and created by the programmer.

[pintxo]

By not using special chars in the first place, you can be sure you will not be able to run into any (unintentional) bugs later.

And not using special chars is cheap, as by requiring a min-length of 13 instead of 12, you can get an even greater level of security.

[abustamam]

Got it, thanks! That makes sense.