Unique characters in password - good or bad?


(Stephen Chung) #1

When using Discourse as a private repository of sensitive/confidential information, we care about password security. My question is: is enforcing unique characters in passwords a good practice or bad?

The Internet seems to have a consensus that:

  • Longer passwords are better, although technically speaking it reduces the search space. However, the trade-off seems to be accepted by most due to the fact that

    1. humans are lazy, and will use short passwords if allowed to
    2. the search space reduction is mostly in short passwords which is not significant compared to the entire search space
  • Passwords combining different character groups are better, although, again, technically speaking it reduces the search space. But again, humans are lazy and won’t use wierd/uppercase if they don’t have to.

  • A min number (usually at least 5 recommended) of unique characters are better. This is less certain. My question concerns this.

I am thinking that forcing unique characters may actually decrease security because:

  1. Not many people will use strings of the same characters in passwords… for example, they’ll tend to type 12345 or qwert instead of 00000.

  2. Limiting the ability to repeat characters SIGNIFICANTLY reduces the search space. Forgot where I read it, but I read it somewhere that it reduces the search space by more than half.

Any thoughts by security experts on this?


(Jeff Atwood) #2

Read the blog entry I wrote about this it covers everything you are asking in excruciating detail.


(Stephen Chung) #3

A link will help here… :sweat_smile:


(Matt Palmer) #4

Your Password is Too Damn Short and Password Rules Are Bullshit


(Dave McClure) #5

Here’s another good one:


(Jeff Atwood) #6

Yes thank you, and the final part of that 3-part series: Hacker, Hack Thyself


(Stephen Chung) #7

In general, not much advise on how much entropy is good for a password. It is understood that no entropy (i.e. all same letters) is bad (for ASCII). What about entropy of one? Meaning at least two different characters?

I’ll argue that no entropy for ASCII letters is bad, but no entropy for Unicode characters? Emoji? That cannot be too bad, right?


(Matt Palmer) #8

Entropy is just an expression of how many guesses it’ll take to brute-force a password. How much you need is dependent on the threat model (online vs offline attack, rate limiting and hashes, and a bunch of other things). Without knowing your threat model, it’s impossible to give a recommendation as to how much entropy is “good enough”.

Also, password entropy is, at best, a fairly hand-wavey measurement. It’s not a mathematical science. In many ways, there’s only two types of passwords: those that are in the attacker’s list of passwords to try, and secure passwords. All possible short strings will be in there, and a whole pile of “known” longer passwords. Everything else is OK to use.


(Sam Saffron) #9

Totally, this password has tons of entropy.

abcdefghaijklmnopqrstuv


(Mittineague) #10

I imagine it would not be that difficult to use recursive levenstein distance from knowns. A constant battle that my tinfoil hat self might think is intentional so everyone will be not only willing but anxious to give their personal visible and audible data over. :thinking:

In more ways than one, password security reminds me of captchas. ie. the best that can be hoped for is a best guess compromise that’s flexible enough to adapt as needed.


(Jeff Atwood) #11

You do know Discourse checks all new user passwords against the 10 million most common repeated passwords, yes? And prevents them from being used? That covers pretty much all the cases you are describing.

The only hole in that strategy was covered in one of the blog posts I linked: native languages differ.


(Stephen Chung) #12

It says 10,000 most common passwords in the settings. Does this mean it is 10 million repeated passwords extra?


(Sam Saffron) #13

I think it was 10 thousand, we would need a different strategy for a 10 million password block.


(Jeff Atwood) #14

It is many many millions, all the common password lists merged together. The reason the list isn’t very big is because of this graph… which was in the above blog posts.

I will leave understanding that, as an exercise for the reader…

Really, read those blog posts closely @schungx. You’re making me repeat myself over and over here for no good reason. All the info you need is there.


(Stephen Chung) #15

Well, that probably means that you have not been very clear about what you claim as 10 million.

What you really mean is:

  • Discourse checks against the 10,000 (as per setting) most common passwords that are >= 10 characters in length (default setting in Discourse)

  • The 9,990,000 passwords < 10 characters long are not checked because it is assumed that the minimum password length is 10.

  • It is caveat emptor if I set minimum password length < 10!


(Jeff Atwood) #16

Sort of, you need to read the blog posts closely. Study them like a textbook. There are years of work behind those posts.


(Bhanu Sharma) #17

@codinghorror Those 3 (actual lifesaving articles) Made me change passwords almost everywhere including Bank, Social and Email Accounts with Immediate effect! … Thanks a Ton for saving the day.


(Markus) #18

I hope, someday it will be possible to get rid off all of these ugly passwords.

Maybe due offering client auth certificates and giving the users a privioing profile for mobile devices, if needed.


(Joe) #19

Not entirely related but…

I use Google Authenticator and it does exactly that.

When you login you need to enter a 4 digit pin generated by the Google Authenticator app on your phone (code expires every 60 seconds)

It’s sort of like one of those bank devices they give you to log in to internet banking.

Still a very limited idea in theory but a great idea nonetheless.


(Markus) #20

Overall a good compromise with one exception: I don’t like to trust third-parties - especially Google, Facebook, etc - in property security solutions. I don’t like to install extra (black boxed) apps for very limited use cases.