- #1
fluidistic
Gold Member
- 3,923
- 260
Why do most websites enforce the use of different sets of characters when creating a password? This is less secure than choosing a password from different sets of characters uniformly randomly.
If we take an example of a 2 characters password and the 2 sets "letters" and "digits", if we use the good practice to maximize entropy by choosing uniformly randomly, then we have (26 + 10) ^2 = 1296 different passwords possible. Whereas if we follow the bad practice enforced by most websites, we have 26 x 10 = 260 possible passwords.
In the first case, we can fall into the bad luck to pick 2 digits, therefore falling into a single set category, containing only 10^2 = 100 passwords. Therefore there is approximately 8% chances to do worse than following what websites enforce.
There is 26 x 26 = 676 passwords that contains 2 letters, so about 52% chances to fall into a single category that provides better security than the one that is enforced upon us. This leaves about 40% chances we do equal than what is enforced upon us, with this simple example.
In more realistic examples, we are often limited to a few digits (<10) for banking stuff, to a low limit (<20) with few different sets of characters. In this latter case, following what is enforced is even worse than the simple example I described above. For larger passwords with more sets of different characters, I often let uniform randomness at play and many times (so a non negligible percentage) there is no character from several sets of characters. For example, the 40 characters long password generated doesn't contain lowercase letters, or digits. And it is better like this. Because the characters are chosen from a much larger set of characters than the one of lowercases.
We should not enforce the use of different sets of characters. At best, there could be a checker that one didn't pick a low entropy password by an extreme bad luck, but this would only happen if the password is too short anyway.
If we take an example of a 2 characters password and the 2 sets "letters" and "digits", if we use the good practice to maximize entropy by choosing uniformly randomly, then we have (26 + 10) ^2 = 1296 different passwords possible. Whereas if we follow the bad practice enforced by most websites, we have 26 x 10 = 260 possible passwords.
In the first case, we can fall into the bad luck to pick 2 digits, therefore falling into a single set category, containing only 10^2 = 100 passwords. Therefore there is approximately 8% chances to do worse than following what websites enforce.
There is 26 x 26 = 676 passwords that contains 2 letters, so about 52% chances to fall into a single category that provides better security than the one that is enforced upon us. This leaves about 40% chances we do equal than what is enforced upon us, with this simple example.
In more realistic examples, we are often limited to a few digits (<10) for banking stuff, to a low limit (<20) with few different sets of characters. In this latter case, following what is enforced is even worse than the simple example I described above. For larger passwords with more sets of different characters, I often let uniform randomness at play and many times (so a non negligible percentage) there is no character from several sets of characters. For example, the 40 characters long password generated doesn't contain lowercase letters, or digits. And it is better like this. Because the characters are chosen from a much larger set of characters than the one of lowercases.
We should not enforce the use of different sets of characters. At best, there could be a checker that one didn't pick a low entropy password by an extreme bad luck, but this would only happen if the password is too short anyway.