Reply to post: Re: Are special characters and upper case a good idea

Third of US banks OK with passwords even social networks reject

Cuddles Silver badge

Re: Are special characters and upper case a good idea

"Or is it better just to add another character to your password?"

Or more importantly - is it better just to add an arbitrary number of characters to your password? The biggest problem with rules for passwords is restricting the length, often to as few as 8 characters (and PINs, which are just passwords by another name, are usually just 4). There are arguments about how strong XKCD's "correct horse battery stable" scheme is, but the arguments against it all rest on the length being short - if you know a password is made of 4 words, you can target an attack based on that knowledge. But what if a password might be 20 words long or more, and you have no idea what that length actually is? A brute force dictionary-based attack on such a password is much, much harder than a character-based attack on a password with 20 characters no matter how many special characters you allow, since there are far more than just 96 words in any language.

And as is always pointed out, people are really good at remembering words. That's the whole problem - people choose passwords they can actually remember. We routinely remember the lyrics to hundreds of songs, can quote from hundreds of films and books, memorise long poems, plays and speeches, and so on. Using just a few random words might not make a more secure password, but why limit it to that? Allow arbitrary length passwords, enforce a minimum length (20 characters or so), enforce only lower case letters (so there are no problems remembering capitalisation and punctuation), and everything would be far more secure and far easier to remember.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019