Do you think password requirements are set in order to make it easier to crack them? ( conspiracy )

submitted by PM_me_your_mitts

It makes sense in my mind that the password requirements are so out of the normal way of thinking that most people can't remember them all and therefore reuse portions of passwords or simply make small changes when going from one service to the next.

They say it is for security sake but I've heard that passwords that just involve 3 randomized words are harder to decode than something like Pword$42.

By giving us restrictions on how to make the passwords aren't they also making it easier to dial into them and figure them out?

Granted you can of course make your password much longer and Pwordispussypony#420, though I've seen character limits.

What are your thoughts?

scandalous-goat

I never thought about that.

On one hand, requiring multiple character class increases the number of combinations to test, which increase the time it takes to brute force a password. Same with the length. Forbidding dictionary words prevent "shortcuts".

On the other hand, since the passwords are harder to remember, some people will tend to reuse the password everywhere. Also, some may, when prompted to change the password, be lazy and just change a single character. This pokes a big hole into the security of a system.

So, where do those policies come from? It is reasonable to think that it is just a recommendation from programmers who didn't think about the human aspect, but it is also possible that it could be a sneaky way to poke holes into systems / networks under the guise of increase of security.

Remember, at the time, the computers were far slower than they are today.

brandon816

Unfortunately, people don't know how to properly implement rules, so it usually just gets limited to at least 1 of each character type and at least 'x' characters long. And some websites actually have a small (10-16) upper-bound on the length of the password too for no good reason. What I've started doing lately is combining the two (at least 1 letter, number, and symbol) along with randomized words, and just kinda do both.

Stavon

No. Password restrictions are there to make cracking harder. Some sysadmins just lack creativity.