Sometimes when you create an account or change the existing password of an account on some website, the site will impose some requirements on your password. Archetypal requirements are like "must contain at least one number", "must contain at least one capital letter", "must contain at least one non-alphanumeric character" and so on.
This is what happens when developers who have no understanding of cryptography get to write such applications. They think that they are making the password more secure by requiring such things, because they think that they are enlarging the search space of a brute-force attack, but ironically what they are doing is the exact opposite!
Ironically, rather than enlarging the search space, they are narrowing it!
Consider, for example, the requirement "must contain at least one number": Someone making a brute-force search of the password now knows that at least one of the characters is from a very small set of ten. This narrows down the entire search space by quite a significant percentage!
Likewise "must contain at least one capital letter" allows the attacker to know that one of the characters has to be from a set of 26. Combine this with the previous (if the site requires both), and you have narrowed the entire search space by quite a bit.
Even "must contain at least one non-alphanumeric character" narrows down the search space because the attacker, once again, knows that at least one of the characters in the password is for certain not a letter or a number, ie. a set of 62 characters can be skipped for one of the password characters on each attempt.
And, ironically, the more such narrowing requirements that a website puts on passwords, the more they shrink the search space because all of those restrictions are combined in the same password.
The only beneficial requirement for password security is a minimum length. (While this allows the attacker to skip all attempts that are shorter, that's such a tiny fraction of the entire search space that's it's essentially inconsequential. It might have a tiny effect, but in no way significant.)
No comments:
Post a Comment