There's some interesting research from Microsoft (and I think similar from the UK government) that suggests you should only enforce an 8 character length rather than all the symbols and numbers etc.
There is more explanation out there but from the top of my head it was mainly because people just make simple additions (like adding a '1' at the end) or substitutions (like '0' rather than 'o') which are trivial for password crackers to circumnavigate. They instead suggest checking the password isn't one of the most common ones to stop things like 'password' or 'qwerty' being used.
There's an xkcd comic about it that I'd find if I wasn't on my phone! 🙂
You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.
I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!
There's some interesting research from Microsoft (and I think similar from the UK government) that suggests you should only enforce an 8 character length rather than all the symbols and numbers etc.
There is more explanation out there but from the top of my head it was mainly because people just make simple additions (like adding a '1' at the end) or substitutions (like '0' rather than 'o') which are trivial for password crackers to circumnavigate. They instead suggest checking the password isn't one of the most common ones to stop things like 'password' or 'qwerty' being used.
There's an xkcd comic about it that I'd find if I wasn't on my phone! 🙂
You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.
I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!
Thanks for the insight Jamie. I just learnt something new.
Thank you for a good writeup.
Yes, better use long passwords than short passwords with digits and symbols. This is probably the xkcd, Jamie Read is referring to:
xkcd.com/936/
Thank You! The xkcd explains greatly.