What’s a Bad Password Rule

Previously we look at the different types of password rules in the wild today.  Many of them are conflicting, and not all of them are good.

Knowledge is power – knowing how to spot bad password rules can alert you to the system being potentially poorly implemented, and potentially the people there don’t have much security knowledge. Depending on the sensitivity of what you need to do with them, this knowledge might just avert you from doing business with them so you won’t have security breach down the road to worry about.

Even when you must do business with them, you can still send them this article to tell them to fix and improve their system. Most of the people out there have good intentions in mind (i.e. not trying to steal your password) if they want to do business with you; they just might not have all the knowledge needed to do it properly. You being a customer can help nudge them in the right direction.

It’s actually quite easy to spot bad password rules – it’s pretty much any negative statement. For example

  • Cannot use special characters such as &, %, #

Is a common one.

There are actually no technical reasons why the above characters cannot be used, or any characters (you ought to be able to use Chinese characters if you know how to type them).  The only situation a limitation make sense is if you will use the password to login from a tool that cannot type these characters (such as an interactive voice response system), but more often than not, a phone-based system is often accessed with a different password (called pin in this case) instead. So even in that case it doesn’t really apply. And many sites having this limitation do not have phone-based logins.

Another extremely common negative statement is limitation on maximum password size. Some are more reasonable than others, but some are extremely short. To understand why, we’ll need to understand a bit more about how passwords work.

The total key space is 1000 for this combination lock.
The total key space is 1,000 for this combination lock.

If we look at the combination lock above, it has 3 digits. Each digit has 10 numbers, so the total combination (called key space) of this lock is 10 x 10 x 10 = 1,000. I.e. if someone tries to unlock this lock, he has 1 in 1000 chance to get it in the first try.

To increase the key space (i.e. reduce the chance of someone actually finding the key), we can either increase the numbers of the digit, or we can increase the numbers per digit.

The key space is 10000 for this lock.
The key space is 10,000 for this lock.

For example, the lock above has 4 digits, so its key space is 10 x 10 x 10 x 10 = 10,000. With one additional digit we now have decreased the odds by 10 fold.

The key space for this lock is  46,656.
The key space for this lock is 64,000.

The padlock above only has 3 digits but with each digit having 40 numbers, so the total key space is 40 x 40 x 40 = 64,000.

Passwords work exactly the same way; limiting the maximum length limits the total number of digits. Limiting special characters limits the numbers per digit. Overall, either rules works to reduce the total key space for the password, which reduces the strength of the password system itself.

It takes much more effort to crack lock with 10,000 key space versus a lock with 1,000 key space.

About the only good negative statement in password rule is minimum length limit, as this rule ensures a minimum about of key space being used.

So the next time you find a site with arbitrary character or length limits, send the administrator with this article!


3 thoughts on “What’s a Bad Password Rule”

Leave a Reply