Linda Walsh wrote:
Jeremy Leonard wrote:
I need to require users to use 2 caps, 2 lowercase, 2 special, and 2 numbers.
Wow....what's this for? Sounds like it would be a royal pain in the posterior....
Why so many special requirements?
Security requirements. Those are typical password requirements for US government accounts.
Isn't it more important for a user to have an unbreakable or unguessable password than to meet certain criteria of characters?
There is no such thing as an unbreakable or unguessable password... any brute-force attack can eventually succeed.
Tell users just to use a "passphrase" instead of a password...and require 20 characters or more.
You can make passphrases which fit the criteria like this: d0N,Tuh8@!on9PAssW0rd? ^ ^ zero zero @N0th3r!on9P422w0rd
Wouldn't that create a small amount of security?
The idea is that the number of passwords which need to be tried to guaranteed success in a brute force attack is: CharacterSetSize ** PasswordLength By forcing the user to expand beyond 26 lowercase letters, to include upper case, numerals, and punctuation characters, the Character set size expands from 26 to 94 So, for a given password length... possible lowercase passwords = 26 ** length possible full charset password ~= 94 ** length 94 ** length = (26 * 3.615) ** length So, using only the lowercase character set, you need 3.615 as many characters to get the same level of security against brute force attacks as using the full character set. Thus the security level against brute force attacks of a length=10 password using 94 characters is about the same as that of a length=36 password using only lowercase letters.
Who was it I saw recently...had a password that was a 20-30 digit prime-looking number. Ouch!
I hope it isn't restricted to just prime numbers...that would make the list of passwords to try rather short compared to just any randomly chosen number of the same length. And restricting to only characters 0-9 is actually a horrible choice... By the same principles as above, 30/(26/10) = 30/2.6 = 11.5, a 30-digit numeral is equivalent to an 11.5 character password of lowercase letters, and 30/(94/10) = 30/9.4 = 3.2 and equivalent to a password of only 3 characters if uppers, lowers, numerals and punctuation are all equally probable password characters.
Viva la biometrics!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org