| Everyone in the conversation seems to be pointing out the fact that this is due to integration with legacy software. That's not an acceptable reason. In the broader sense, there is a great irony in making password "strength" restrictions, like "must include" and "must not include" because they often end up making passwords easier to brute force. If you start with the restriction that all passwords must have > 8 characters, you have basically an infinite number of possibilities, smart users will use a passPHRASE that is easy to remember. Dumb users will try to hit the bare minimum characters. When you put a restriction of 20 chars, it reduces the possibility that a persons favorite passphrase and guarantees that the set of all passwords is 8-20 characters, which means that the set of all passwords is smaller still. They disallow special chars, which probably includes space, which further reduces the likelihood that someone will pick a passphrase. Disallow repeating characters and you've further reduced the entropy. Disallow Q and Z and it's reduced it further still. I can't be arsed to do the math, so I'll reference XKCD http://xkcd.com/936/ But Sabre would do well to correct this, the optimal case is simply making a single requirement: passwords must be greater than 8 characters. The don't use your last N passwords requirement isn't bad, but people usually find hacky ways around this. |