password possibilities
On a recent visit to the hardware store, I saw this product
... which was clearly made by (or for) people who don't understand the idea of a "problem space."
But that made me start thinking about systems that have password security restrictions, like forbidding dictionary words, or requiring letters, numbers, and punctuation. They too are reducing the space of possible passwords, which in theory should make them _less_ secure. I guess the way to think about it is that the parts of the space they're closing off are ones with powerful attractors in them (i.e., lots of people will choose an English word if you let them). So they're slightly increasing their vulnerability to pure brute force attacks, in exchange for causing most people to choose from a much wider variety of passwords than they otherwise would have. This happens in some other domains too -- It's neat how you can sometimes increase variety by reducing choice.
(PS - I'll bet that dictionary attack tools nowadays contain acronyms for the first lines of a few thousand popular songs. Also that a whole lot of passwords that require numbers in them are standard, insecure passwords with "1" stuck to the end. Punctuation? Normal passwords plus an exclamation point. Yes, I have been guilty of this. Once or twice.)
(PPS - Oh, wait... I used to own the kind of lock this is built on. You can pull the dials off and rearrange them. So it's not quite as bad as it looks.)
... which was clearly made by (or for) people who don't understand the idea of a "problem space."
But that made me start thinking about systems that have password security restrictions, like forbidding dictionary words, or requiring letters, numbers, and punctuation. They too are reducing the space of possible passwords, which in theory should make them _less_ secure. I guess the way to think about it is that the parts of the space they're closing off are ones with powerful attractors in them (i.e., lots of people will choose an English word if you let them). So they're slightly increasing their vulnerability to pure brute force attacks, in exchange for causing most people to choose from a much wider variety of passwords than they otherwise would have. This happens in some other domains too -- It's neat how you can sometimes increase variety by reducing choice.
(PS - I'll bet that dictionary attack tools nowadays contain acronyms for the first lines of a few thousand popular songs. Also that a whole lot of passwords that require numbers in them are standard, insecure passwords with "1" stuck to the end. Punctuation? Normal passwords plus an exclamation point. Yes, I have been guilty of this. Once or twice.)
(PPS - Oh, wait... I used to own the kind of lock this is built on. You can pull the dials off and rearrange them. So it's not quite as bad as it looks.)