DEV Community

loading...

Discussion on: Do password rules impact security?

Collapse
binarypatrick profile image
Patrick M

Right, but it's a trivial difference. A difference more than made up by the fact that all your passwords had to be brute-forced in the full attack space. If for argument sake we keep a password of six characters with the full allowable space of 96 would be 966. A password of six characters using the full space with a required one special character would be (965) *34. The difference in those two spaces simplifies to 96/34 or ~2.8x. Consider now that without the requirement, you could try guessing passwords in a 26 or 52 character space, knowing that it is likely some percentage of people only had lowercase or alphabetic passwords. That would be a much smaller space and would probably yield a decent number of passwords. Ultimately length matters more than anything, and perhaps requiring a special character creates more attack vectors through social engineering. Real world security is hard all the way around I guess.

Thread Thread
binarypatrick profile image
Patrick M

Also, I'm not sure were OP got 270x... Is my math wrong?

Thread Thread
domysee profile image
Dominik Weber Author

I calculated it for all rules together. 1 lowercase, 1 uppercase, 1 digit, 1 special character.

That yields 96^4 / (26*26*10*34), which is about 370.