Passwords

Why do websites insist on less secure passwords? If you have an 8 character password made up of any letter (upper and lower) and any number and any “special” character we can say that is a choice of any one of 70 character on any of the 8 positions, or 576,480,100,000,000 combinations (that’s 576 trillion in American). Insisting that one character is an uppercase letter, one is a number and one is a “special” character that brings the combinations down to 3,495,856,000,000 (or 3 trillion). Still a large number but easier to crack. According to excel it is 0.61% of the original possibilities.

Forcing people into having upper and lower case is a good thing in some ways. It discourages them from reusing passwords, But it also means they are less likely to be able to remember their passwords and need to either reset their passwords more often or, and this is the ironic part, WRITE THEM DOWN ON THEIR COMPUTER, which in itself is a very insecure thing to do. The point of a password is that it is something you can remember and easily type. Typing on smart phones can also discourage complicated passwords. I was once given a complex password with AK47 in the middle and that helped me remember it. Not allowing “password” is a good move, but is “015804468” less secure?

In this example I have used 26 lowercase, 26 uppercase, 10 numbers and 8 for the number of special characters to get to 70 possibilities. The use of @ for instance in some passwords can case problems as HTTP can interpreter it as part of an email address and “ and ‘ are not such a good idea either. So people tend to stick to #, $, {} and ! and a few others, so I think 8 is a fair number.

So are password restrictions what hackers love?