Passwords and Math

Let's take a moment to talk about password security, starting with a somewhat absurd example to clear up an issue that has constantly bothered me.

Which of these would you consider the best recommendation for creating a secure password (read carefully)?

  1. "Your password must be exactly 2 characters long."
  2. "Your password must be exactly 2 characters long and must contain an uppercase letter and a number."

In this scenario, the first option might seem like the obvious choice. However, we often encounter requirements similar to the second option, right? There are two key factors that make the second set of requirements the better choice as the password length increases:

  1. As the password length increases, the requirement to include specific types of characters(like uppercase letters and numbers) diminishes the advantage an attacker has in speeding up the cracking process.
  2. Without explicit requirements, people tend not to diversify their choice of characters enough to significantly increase the combinatorial complexity of their passwords.

Thus, a bit counterintuitively, mandating the inclusion of diverse character types is indeed beneficial.

(Aside: It's widely acknowledged that "correct horse battery staple" is still the best type of password, right?)