2012-12-18 Most password policies are inappropriate to a large degree. Of this I was sure already for years. Maybe I should write an arti- cle about the topic ... but, well, many people have already covered the topic. Some of them have done it well, like Bill Cheswick in ``Rethinking Passwords''. [0] The topic came up for me again as a recent registration enforced me to pick a password with the following contraints: Password must be 6 to 8 characters long, and may con- tain alphanumeric characters (a - z, A - Z, 0 - 9) with no special characters. I still don't get the point why a system would like to limit the length of a password. Passwords should be stored as hashes any- way, thus their length (up to a reasonable amount of for instance 255 characters) should not matter at all. Systems might need to limit the character set due to technical reasons, but these limi- tations should not need to be as restrictive as in this case. We all should know that the length of passwords is the most impor- tant component. Wikipedia states that a password of 21 lowercase latin characters is equally strong to a 15-character password that uses the whole set of ASCII printable characters. I'd rather pick an arbitrary 15-character string and append ``foobar'' instead of constructing a difficult 15-character password. Hypothesis: In requiring passwords to be longer than i.e. 20 characters, no other contraints are necessary as the passwords will automatically be strong enough (against brute force attacks and against dictionary attacs). And still, people won't have problems to remember them as they could pick any arbitrary sen- tence, changing it only in a single slight way to make in unusu- al. [0] http://www.cheswick.com/ches/talks/index.html http://marmaro.de/lue/ markus schnalke