Security idea

— 1 minute read

You know how some sites say your password has to be at least 6 characters? That's good for security in that more characters are harder to brute force.

But it's bad for security in that the most common password on the Internet is currently "123456" - just enough to fit the length requirement with pretty much no entropy at all. You could brute force usernames always using the password "123456" and probably have a pretty decent success rate.

...light bulb? permalink

So here's an idea: Why not randomize the length limit?

"Your password must be at least {6-10} characters long."

Now you don't know whether the worst password is "123456" or "1234567890". Guessing a single password from the moron group just became 4 times harder (which isn't much, but it's getting somewhere).

This could be extended:

"Your password must be at least {6-10} characters long and contain at least {0-2} symbols and at least {0-2} uppercase letters."

Now it's 36 times harder. That might actually be a meaningful difference.