ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    Scheduled Pinned Locked Moved IT Discussion
    202 Posts 12 Posters 52.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABillB
      BRRABill @Dashrender
      last edited by

      @Dashrender said:

      Just change it at least once between now and then and you should be fine.

      I was planning to just add another @ sign but apparently that is a no-no. 🙂

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @BRRABill
        last edited by

        @BRRABill said:

        @Dashrender said:

        Is there a real difference? A meaningful difference?

        My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords. (Say 12 or less.) Why totally take them out of the equation? Especially at the beginning or end of the passphrase? Or on sites that don't allow longer passwords for whatever reason.

        No one ever said take them out.. just that they aren't a requirement.

        the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.

        BRRABillB scottalanmillerS 3 Replies Last reply Reply Quote 1
        • BRRABillB
          BRRABill @Dashrender
          last edited by

          @Dashrender said:

          No one ever said take them out.. just that they aren't a requirement.

          the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.

          Got it.

          I'm glad you and I had this little discussion!

          1 Reply Last reply Reply Quote 0
          • larsen161L
            larsen161 @JaredBusch
            last edited by

            @JaredBusch said:

            12+ Characters, complexity not needed. 180+ day password cycle.

            2FA is always nice, but I would never expect to get it going in a standard office environment.

            why would you never expect to get it going in an office?
            It's been a straightforward implementation process in all of my last 3 companies.

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender
              last edited by

              @larsen161
              I won't speak for JB, but for me - it's all around cost.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                @larsen161
                I won't speak for JB, but for me - it's all around cost.

                But you can do that for free.

                DashrenderD JaredBuschJ 2 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @BRRABill said:

                  @Dashrender said:

                  Is there a real difference? A meaningful difference?

                  My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords. (Say 12 or less.) Why totally take them out of the equation? Especially at the beginning or end of the passphrase? Or on sites that don't allow longer passwords for whatever reason.

                  No one ever said take them out.. just that they aren't a requirement.

                  the general belief is that the more requirements you put on users, the more they will fight you. So do 12+ and have no requirements - you can suggest that they put in caps, numbers, special characters.. but not required.

                  Exactly, don't block people from using them, that's totally different. You want people making long, hard, but easy for them to remember passphrases. Anything that undermines that undermines your security. So the goal is to provide more options and encouragement towards security, not introducing artificial constraints that add effort and frustration because those things work against security.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said:

                    you can suggest that they put in caps, numbers, special characters.. but not required.

                    I don't even know if I would do that. If those things happen naturally, great, but they literally do nothing for security, so encouraging them for their own sake is bad, even if it is just a gentle nudge. What you want most is non-repeating, long, easy to remember passphrases. Anything that doesn't encourage that isn't useful.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said:

                      My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.

                      They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said:

                        thisisalongpassword = 607 million years

                        thisisalongpasswor@ = 3 trillion years

                        How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said:

                          @travisdh1 said:

                          Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.

                          I also agree with that.

                          I am just saying isn't

                          thisisalongpassword

                          weaker than

                          thisisa@longpassword

                          No, not weaker from a brute force attack. The thing that makes it weaker is that you used all common English words. Change that to gibberish, which is what you did in the second example, and it becomes a non-dictionary attack. That's the different, not the @ symbol.

                          To a computer password and p@ssw0rd are identically hard. Both words.
                          To a computer aosnmwen and D*n^63ed are identically hard. Both gibberish.

                          Length and gibberish vs. words are what matters. But length trumps gibberish dramatically, so you encourage length not gibberish. But replacing a with @, for example as people do, isn't gibberish, it does nothing.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            It is worth noting that at some point an attack stops looking for your password and starts looking for a collision instead because your password has reached maximum difficulty. No idea when that happens, but it does happen.

                            1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              @Dashrender said:

                              @larsen161
                              I won't speak for JB, but for me - it's all around cost.

                              But you can do that for free.

                              You can get 2TF for Windows AD for free?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @BRRABill said:

                                My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.

                                They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.

                                OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.

                                for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.

                                BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  You can get 2TF for Windows AD for free?

                                  That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @BRRABill said:

                                    thisisalongpassword = 607 million years

                                    thisisalongpasswor@ = 3 trillion years

                                    How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

                                    it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.

                                      for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.

                                      Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.

                                      Unless the "order" the set is checked against is random.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        @scottalanmiller said:

                                        @BRRABill said:

                                        My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.

                                        They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.

                                        OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.

                                        for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.

                                        Yes, if you KNOW that the character set is smaller, you get faster computation. But if someone locked the range to smaller and blocked those characters, that would be insane. But, I suppose, no more crazy that all of the things that the OP found in this audit. But, I'd have the same opinion, professional negligence as a best case.

                                        But they don't know, in the real world, that the set is smaller nor is it. The set remains large and what people use remains large. You have like 80 reasonable characters to use easily and more with moderate ease.

                                        1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          @Dashrender said:

                                          You can get 2TF for Windows AD for free?

                                          That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?

                                          Not that I'm aware of - though, I don't think many people would use it, even if it was.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            @scottalanmiller said:

                                            @BRRABill said:

                                            thisisalongpassword = 607 million years

                                            thisisalongpasswor@ = 3 trillion years

                                            How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

                                            it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

                                            But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 3 / 11
                                            • First post
                                              Last post