DEV Community 👩‍💻👨‍💻

Discussion on: Securing Your ASP.NET Application

danieljsummers profile image
Daniel J. Summers

You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.

I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!