undefined | Better HN

0 pointsgspencley4y ago0 comments

You're probably right that, in practice, the character class doesn't automatically add security if the password is sufficiently strong and random. The theory is that by introducing special characters you're decreasing the likelihood of having characters that are commonly found together, thus decreasing the effectiveness of dictionary attacks.

Of course modern dictionary algorithms will still look for characters that are commonly used as substitutes for letters ($ = s, # = h, ! = 1 etc.) so really you just want your password to be random, long and unique.

0 comments

iso16314y ago

Vast majority of passwords will have just 1 symbol, either at the start or end, or replace A with @, S with $, etc

P@55w0rd!

Is an awful password, yet meets many security policies

P@ssword2, P@ssword3, P@ssword4 etc

Also meet them, and rotate just fine.

Meanwhile

dadbffc67f798e8e0b7441fb995aeabe

Is perfectly fine, but often is not allowed

falcolas4y ago

> Is perfectly fine, but often is not allowed

Nor is "correct horse battery staple". For wanting symbols, so many password systems really hate spaces.

dylan6044y ago

I can't tell you how pissed I was when the ex-Pres revealed my password with his "Man Woman Camera TV" rant.

iso16314y ago

correct horse battery staple is a terrible password :D

1 more reply

tomp4y ago

I end passwords with "1Aa" or "1Aa," to appease all these random requirements.

Don't worry, the first 10 letters are randomly generated a-z or a-z0-9.

1 more reply

the_snooze4y ago

The NIST guidelines address that in a much more straightforward way: maintain a list of known bad passwords (e.g., HIBP) and prohibit users from using any of those. Character class requirements are pointless.

j / k navigate · click thread line to collapse