2012-12-27 I hate password policies! At one website I have an old password with bad strength. I wanted to change it to a password with good strength. The website's password policy prevented me from doing so because it required passwords to meet their restricting policy. The website ac- claimed secure passwords would consist of 6 to 20 characters, although passwords with only six characters are hardly secure and passwords with more than twenty characters are definitely secure as well. Further more, they required passwords to include several sets of characters. Implicitely they tell users that the password ``|ml33t'' (39 bits of entropy) is secure but the password ``iamaleethackerfoobarbaz'' (108 bits of entropy) is not. For brute force attacks it is 2.5 times as strong, even when it is known that only lowercase letters were used. For dictionary at- tacks the former password is hardly stronger because attackers know about the use of leetspeak in passwords, of course. As the short password consists of three words only, whereas the latter one consists of eight words, the former one is rather easier to crack. The strength of a password (against brute force attacks) is a function depending on the characters set that the attacker will check for (!) and the password length. The influence of the pass- word length is much greater than the influence of the character set size. Concerning dictionary attacks, easily guessable passwords need to be avoided. Theses are all dictionary words, the login name, any- thing that looks like a birthdate, words with 1-4 digits append- ed, and thelike. (Soon, as computing power and network speed in- creases, we need to add ``correct sentences'' here as well.) Including a single non-ASCII character in the password will like- ly let almost all brute force attacks fail. For technical rea- sons, however, it might not be such a good decision to do so. Coming back to the original problem of changing my unsecure pass- word. My chosen secure password does not meet their password policy. Now I have the choice: Construct a password that meets their criteria or leave the password unchanged. http://marmaro.de/lue/ markus schnalke