Tuesday, May 01, 2007

Password rules?

A prominent computer services company has the following rules on their website when you register for their job stock:

1. Passwords must be at least 8 characters long and no longer than 16 characters.
2. Passwords must only contain alpha and numeric characters, not symbols.
3. Passwords must not contain more than two identical consecutive characters.
4. The first or last character of a password cannot be numeric.
5. Passwords cannot contain your e-mail address.

I wonder who came up with point 2, 3 and 4. Anyone can see that :

Assuming the restrictions weren't in place, there could be a possible of 26 times 2 (letters) + 10 (digits) + 10 (approx number of symbols) = 72 to the 8th power.. combinations. I don't even want to calculate that.

Restriction 2: cuts down the number of combinations from 72^8 to 62^8.

Restriction 4: cuts down number of combinations about 20 times (10 possibilities for first and last)

As for restriction 3, I would need to spend more than a few minutes to come up with the number of possible combinations that rule removes.

Needless to say, their rules make it easier for brute-force password attacks to be successful, and harder for people to come up with a password they are not likely to forget. Bravo.