this post was submitted on 20 Aug 2024
194 points (96.2% liked)
Asklemmy
43963 readers
1106 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You don't add them, you enforce at least one. That eliminates all combinations without upper case letters.
So, without this rule you would indeed have the 52x52 possible passwords, but with it you have (52x52)-(26x26) possible passwords (the second bracket is all combinations of 2 lowercase letters), which is obviously less.
Wrong. In your example, for any given try, if you have put a lowercase letter in spot 1, you don't need to try any lowercase in spot 2.
Any information you give the attacker eliminates possible combinations.
I think I'm confused on your point.
I interpreted your statement to mean "adding a requirement for certain types of characters will decrease the number of possible passwords compared to no requirements at all", which is false. Even in your example above, with only two letters, no numbers / special characters allowed, requiring a capital letter decreases the possibilities back to the original 676 possible passwords - not less.
Perhaps you're trying to say that passwords should all require certain complexity, but without broadcasting the password requirements publicly? I suppose that's a valid point, but I don't think the tradeoff of time required to make that secure is worth the literal .000001% (I think I did the math right) improvement in security.
No it doesn't. It reduces the possibilities to less than the 52x52 possibilities that would exist if you allowed all possible combinations of upper and lower case letters.
You are confused because you only see the two options of enforcing or not allowing certain characters. All characters need to be allowed but none should be enforced. That maximizes the number of possible combinations.
No, because that's still the same. An attacker can find out the rules by creating accounts and testing.