Chris recently complained about the phenomenon of services requiring you to enter all sorts of weird characters in new passwords before accepting them. We both remarked about how this is amusingly potentially less secure than allowing the user to select whatever password they want. Why is that so?
Making the assumption that people will select “good” passwords (and this assumption is utterly incorrect, which is why the services make you put crazy things in your passwords), you have a specific number of combinations of characters that a password can consist of. Restricting one of the characters used in your password to a specific character, you’ve actually reduced the number of combinations. Let’s try a synthetic example.
Suppose that you are to create a 3-digit password from the characters “a,b,c”. The number of combinations you can assemble these character in is:
(the number of character options) ^ (the number of characters used)
In this case, 3^3 or 27 different possible passwords. Now, if I told you that one of the characters had to be an “a”, that would significantly reduce the number of combinations to 19.
Using more characters in the combination makes the reduction in options even more significant. And if the password system requires you to use, say, “at least one number and at least one symbol” that reduces the namespace even more.
Granted, the goal of such systems is to get you to select a good password, primarily something that isn’t going to be found using a dictionary attack, where a hacker runs through a list of common words and attempts to use them as the password. But a user should have the option to create a password that does not meet these arbitrary criteria if the password is otherwise “good”, since it would be outside of the typical “pick at least one of these” set of passwords.
Oh, while I’m on the topic… Your password that so cleverly converts letters into their numerical counterparts? Yeah, everybody does that. The only reason you don’t know that everyone does that is because people don’t share their passwords to have this collective intelligence. I know that everyone does this because I have access to passwords on systems that I didn’t make up.
You should realize that it’s just a matter of time before the dictionary attacks include both “password” and “passw0rd”. They probably already do. You’re probably already hacked. Go change your password now.
