Does it really improve a password if at least one character of each group (a-z,A-Z,0-9) is included?

For the people who just pick the simplest allowable password, this is indeed an improvement on entropy, such as password to pa55word (the first being about as bad as you can get, the second being significantly better yet still unacceptably simple). Password1 is ten times as complex as Password, but only because it is longer, though Passworda would be 26 times as complex as the original Password.

For the people who pick secure passwords, this is a hindrance. It forces passwords like ni{M?tofQPI.'C\`dfmSK to become 3i{M?tofQPI.'C\`dfmSK. From a sheer entropy perspective, there are fewer possibilities in digits (10) than in lowercase (26), uppercase (26), or special characters (~32). That n… password arguably* has 2.6 times as much entropy as the 3… password (2610).

Consider a more strict password scheme: you must have one uppercase, one digit, and one special character. An attacker therefore knows that there are a very large number of passwords that are impossible and therefore do not need to be tested in a brute force attack.

Using psychology, the attacker will also prioritize the first character as being uppercase and the last character as being either a digit or a special character, meaning that 1pa*sswoRd is much stronger than Password1* (but again, unacceptably simple). This is called "password topology" (learn more from Rick Redman's PathWell: Password Topology research).

* Calculating password entropy is very very difficult and nobody does it correctly (it's impossible to do "correctly" unless you're talking about measuring an automatic password generator). One must assume the worst-case scenario, that your password generation scheme is fully known to the attacker, since you cannot rely on security through obscurity. I've got my own way of calculating entropy that I like better than others I've seen, but it's imperfect as well. The best password generation advice is therefore to make a very long passcode that meets most recommended password guidelines even ignoring the first and last characters of the code.

When changing e.g. password to Password, you're doubling the entropy because it's the most common location to make uppercase (and upper-vs-lower has two options), whereas changing password to pAssword at least implies that the uppercase could be anywhere, instead increasing the complexity by 16x in this example (eight characters times two case possibilities).

Don't forget words. A word is worth 2-3 "random characters" and no more. Super obscure words (especially from rarer languages) may be worth up to four characters (see my entropy link above), but it's better to be conservative in your estimate. I say if it's in a spelling dictionary for any language you're known to speak, it's worth 2. Any other nontrivial word is worth 3. Password and other common passwords (even 1qaz2wsx; look at your keyboard) are worth 1, so Password1 is about as secure as K%. Since attackers can comb through your drives, any "word" found anywhere on your computer (excluding dictionaries) is worth 2 characters at most.

Random is hard for humans to come up with and harder still to remember (and, contrary to human intuition, arbitrary/obscure/clever is not "random"). That's why password managers offer to do it for you, creating a system in which you only ever need to remember one big fat password which you could e.g. memorize half of and stick the other half in your wallet.


For two randomly generated passwords of 8 characters (for example), choosing from the space (a-z,A-Z,0-9) versus (a-z,A-Z) does increase the strength of the password. You can calculate by how much by following the information in How should I calculate the entropy of a password?.

In practice, for human generated passwords, it is hard to say. Is Password1 really better than PasswordX? Probably not. Simple policies like this do not really force users to pick better passwords in practice.


There are two components to the answer to this question: the number of characters the password allow and the quality of passwords your users select.

Say your system allows and printable ASCII character to be used in your password, and passwords are of a fixed length of 5 characters (this is just an illustrative example remember).

If your users are perfect random number generators, then there are 95^5 possible combinations an attacker would have to try, and minimum "complexity" requirements would not improve security. From an attacker's POV, if the password is "ABCDE", this is no less secure than "J(@K>" because the attacker has no a-priori knowledge of the fact that all the characters are letters; he only knows that after the password has been found, and that combination was just as likely as any other 5-character string. **in fact, "complexity" requirements actually reduce entropy, as there are several combinations that are disallowed and so can be excluded from the attack.

Unfortunately, people are not random number generators. Not at all. People will choose things that are as easy to remember as possible. Attackers know this and will optimize their attack accordingly by prioritizing strings that are meaningful to a human (because now he does have some a-priori information). This is where password complexity requirements "help" by forcing at least a minimum variation in the characters used. Without these requirements, many people would simply use letters, and most attackers would exploit this be optimizing searches accordingly. Essentially, the complexity requirements make the pool of likely passwords bigger for human users. If, however, you are using a (hopefully cryptographically secure) pseudo-random number generator like Fortuna to generate your password, do not include these "complexity" requirements.

Finally, there are two dimensions to password complexity: variance in characters and number of characters. Making passwords have numbers and special characters increases one dimension, but it is probably far better to drop the complexity requirements in favor of long passwords (or pass-phrases). The entropy lost in having only English letters in the password is generally more than made-up for by having 6-10 words in a pass-phrase. These are also generally easier to remember than "complex" passwords.

Tags:

Passwords