DEV Community

Discussion on: Do password rules impact security?

Collapse
 
kostassar profile image
Kostas Sar

I believe that since the problem is solved by adding a couple more characters to the password it is not really an issue. We are not talking about getting the length up to 20-25 characters but just to 9-10. Which is still quite easy to remember.

Sure, it takes away all the combinations that use characters from some instead of all the character groups you mentioned but it is easily negated by the password length.

Plus the number one rule to make your password "immune" to brute force is making it longer than 8 characters (by today's standards, correct me if I'm wrong). Most of the sites that test passowrd strength suggest so.

Collapse
 
domysee profile image
Dominik Weber

I guess the question is actually all about psychology. Is this really not a burden for the user? 1-2 characters don't sound that much, but for some it might make it too hard and they write it down somewhere. It's not just about crackability.

On average one could probably say that, but it actually depends on the hashing algorithm. If it takes 10s to check one password, then a lot fewer characters are needed. And if md5 is used, the longest password on earth won't help you.

Collapse
 
kostassar profile image
Kostas Sar

It is a burden! Ideally each user has different and difficult passwords for each account he owns. This makes remembering all of them really hard but fortunately we have password managers to do that job. They generate long random passwords and the user just remembers only one really hard one, which is totally doable.

In a perfect world everyone is using one of those and every website has secure and updated password storing.