Doing Password Complexity Wrong

Posted: Tue, 8 July 2014 | permalink | 2 Comments

I just made an account on yet another web service. On the suggestion of my password manager, I attempted to use the password “W:9[$X*F”. It was rejected because “Password must contain at least one non-alphabet character, one lowercase letter, one uppercase letter”. OK, how about “Passw0rd”? Yep, that’s fine.

Anyone want to guess which of those two passwords is going to fall victim to a brute-force attack first? Go on, don’t be shy, take a wild shot in the dark!

2 Comments

From: Paul Mellors
2014-07-08 16:48

Well being the expert user I am, I would say the problem lies with “W:9[$X*F”, I mean take W, it’s the second letter on the keyboard, how easy is that to get ;)

From: Matt Palmer
2014-07-08 16:55

Wow, I never thought of it that way. That’s probably exactly the problem. (grin)

Post a comment

All comments are held for moderation; markdown formatting accepted.

This is a honeypot form. Do not use this form unless you want to get your IP address blacklisted. Use the second form below for comments.
Name: (required)
E-mail: (required, not published)
Website: (optional)
Name: (required)
E-mail: (required, not published)
Website: (optional)
 
« Witness the security of this fully DNSSEC-enabled zone!
Per-repo update hooks with gitolite »