dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
1 edit | reply to BlitzenZeus
Re: Big Sites That Don't Allow Complex Passwords !?!
said by BlitzenZeus  :If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security. Assume an attacker has no access to your PC; he's merely attacking the web site (and it's not tricky to guess, for example, that there might be a user called 'dave'). There is no 'master password' involved. It's simply a matter of how hard it is to brute-force the password space.
If the password space is restricted to [A-Za-z0-9] then there are far fewer possible passwords than if passwords could use any characters. Thus, the password is easier to guess. Simple arithmetic.
This is just sloppy programming, about as sloppy as the idiots who insist you type credit card numbers without spaces, despite that fact that the numbers on the cards are grouped in fours for a very good reason.
I suppose the point of your comemnt may be that people who use 'complex passwords' must be keeping them in software-managed keyrings. That doesn't seem to follow at all. A few non-alphameric characters dropped into a password doesn't suddenly make it impossible to remember; even a scheme as silly as replacing an 's' with '$' adds a small amount of strength, withut making the password harder to remember.
--
Microsoft Security MVP, 2005-2007. |
