0
$\begingroup$

One system I use just changed their password policy. Previously, the only requirement was 6 digits. (e.g. 123456, 111111)

Now it's 8 digit, with no bigger then 3 digit sequence, and no pattern such as abab anywhere.

No clear rules but the following are invalid:

  • 11111111
  • 12345678
  • 12393659 (because of ^123)
  • 76768747 (because of ^7676)
  • 11195712 (because of ^111)

Any way to calculate the difference in randomness? mainly, is the set now bigger or smaller?

  • 0
    good point, changed the question on the last line to be more math oriented.2011-12-19

3 Answers 3

1

Six digits gives $10^6$ possibilities, and $\log_2(10^6)\approx 20$ so the old way is about $20$ bits. Eight digits gives $10^8$ possibilities, which is about $26.6$ bits. The restrictions don't hurt too much. A rough approximation would be to say the three successive digit rule removes $\frac1{1000}$ after the second digit and the three repeated digit rule the same. So you only lose $\frac{12}{1000}$ of your passwords. The repeated pairs is even less. Practically, if you were brute forcing, you would probably ignore the restrictions and try them all as it would be so much easier to program.

0

In the absence of clear rules, it's hard to count the number of allowed passwords. But I don't think that's the point. An attacker wouldn't have to try all possible passwords: they would try ones that people are likely to choose because they're easy to remember. If passwords such as $123456$ are allowed, some people will use them, and the attacker will take advantage of that. With the new rules, people will have to be more creative in choosing an easy-to-remember password. Maybe the first 8 digits of their favourite pizza restaurant's phone number -- oh wait, the attacker knows that too...

  • 0
    Agree 100% with that. But for people that know how to choose good passwords, having a large chunk of the set removed makes the only possible attack (brute force) easier. i'm trying to calculate if the available set increased or decreased2011-12-19
0
  1. You say: "No clear rules, but the following are invalid:" But there must be clear rules, otherwise how did this get implemented?
  2. The new set of allowed passwords is nearly 100 times larger than the old set -- the restrictions only invalidate a small proportion of the extra numbers. Without knowing the rules, it's impossible to say exactly what this proportion is, but my rough guess would be less than 10%. So no worries there.
  3. Why are only digits allowed? Are you using a numeric keypad?
  • 0
    3. absolutely no idea. maybe it's because they expect the system to be used on mobile devices? I can only guess here. but it's only digits for sure.2011-12-19