Why do web applications insist on defining strong password rules?

Almost every site will shove and encrypt your password no matter which one you choose. The problem is not legacy code, server side database security or anything, developers will have this covered in most cases. The problem is that dumb users present delayed passwords that are easy to break. The point of the rules is to make you not choose too stupid a password.

Here's the link. http://www.codinghorror.com/blog/archives/001206.html

Okay, here's the whole story.

First of all, let's define a measure of the "kindness" of the scheme. When using passwords or the like, the measure is the average number of probes that requires a brute force attack to gain access.

Let's say that your passwords are drawn from the alphabet S with n characters, and the length of the password is k. Then the total number of possible passwords: n ^k .

On average, then a brute force attack will find a successful password in about n ^k / 2 or n ^k-1 tests.

For convenience and due to some information-theoretic considerations that I am not going to get into, we usually express this as the number of bits, which is lg n ^k where lg denotes the logarithm base 2. Since we are used to thinking of bits as discrete things, we we usually take the ceiling of this number, i.e. the smallest integer is greater than lg n ^k but in fact the fractional value is perfectly legal.

For printable characters, 8 character passwords, and other rules, this number is in the vicinity of 100 ⁸ or about 10 ¹⁶ ; that's about 53 bits. The only thing is that such random passwords are almost impossible to remember; they tend to land on yellow sticky notes and become vulnerable to this kind of attack. However, this is an extreme case. It takes about 100 trillion brute force attempts to figure it out. If every attempt costs money, then in theory your data could be worth as much as $ 1 trillion before it was worth the thief's time.

On the other hand, there are only about 50,000 commonly used dictionaries. That's about 16 bits, or it takes about 25,000 brute force attempts. Drawing each attempt costs a penny: then your data is better not worth more than $ 250.

Both of them are rule applications

R = P x H

where R is risk, P is the likelihood of something bad happening, and H (hazard) is the cost of a bad thing.

Now, the penny try is too high, but now you have the necessary tools. Find out what the data is worth and you can use this method to determine how extensive the ruleset you need is. (But be careful, as if you are making the rules too strict, then the entropy of the set of acceptable passwords becomes small until you get to the old joke, which after a lot of thought. Security has figured out the best password for everyone - "* 8h% Jd!" So now all users will start using this password.)

Anything that an untrained user (a common type for most web applications) finds natural and easy to remember will be easy to hack. It doesn't matter what you do to save it, because the cracking software can go through all the passwords that an untrained user is likely to use. Salting and hashing is only effective when users have good passwords.

The solution is to ask the user to remember something more difficult (which you reject), or to check the base against what the user has, not what the user can remember. It could be a written password, one of these security blogs that generate unpredictable numbers that change every few seconds, or something more esoteric.

What a website can do is allow all kinds of strong passwords. I hate sites where I want to use strong passwords (usually financial or medical) that have rules like "no special characters". (Of course, I don’t like reusing strong passwords; I don’t want someone who cracked my HMO security to freely dispose of from my Barnes and Noble account.)

This is probably not the answer you want, but the bad guys have capabilities that will overwhelm the kind of random security that most people are comfortable with.