DEV Community

loading...

Discussion on: Do password rules impact security?

Collapse
binarypatrick profile image
Patrick M

Requiring one of each special character doesn't narrow the attack space. You have to remember that the attacker doesn't know the password unless it's guessed correctly. They don't know the order and which characters satisfy which requirements. Therefore to the attacker, every character could be any of the 96. Character requirements enforce that a user takes advantage of the full character space and that the attacker has to try 966.

Collapse
domysee profile image
Dominik Weber Author

But they do know the password rules. So they can eliminate all passwords that don't satisfy them, and not even check those.

Collapse
hoelzro profile image
Rob Hoelz

What if the attacker knows the rules of the system, though? If I were an attacker and I know that the password is exactly 6 characters and at least 1 special character is required, I don't need to bother checking abcdef, right?

Collapse
binarypatrick profile image
Patrick M

Right, but it's a trivial difference. A difference more than made up by the fact that all your passwords had to be brute-forced in the full attack space. If for argument sake we keep a password of six characters with the full allowable space of 96 would be 966. A password of six characters using the full space with a required one special character would be (965) *34. The difference in those two spaces simplifies to 96/34 or ~2.8x. Consider now that without the requirement, you could try guessing passwords in a 26 or 52 character space, knowing that it is likely some percentage of people only had lowercase or alphabetic passwords. That would be a much smaller space and would probably yield a decent number of passwords. Ultimately length matters more than anything, and perhaps requiring a special character creates more attack vectors through social engineering. Real world security is hard all the way around I guess.

Thread Thread
binarypatrick profile image
Patrick M

Also, I'm not sure were OP got 270x... Is my math wrong?

Thread Thread
domysee profile image
Dominik Weber Author

I calculated it for all rules together. 1 lowercase, 1 uppercase, 1 digit, 1 special character.

That yields 96^4 / (26*26*10*34), which is about 370.