- #1

- 238

- 0

Ok, I want to make the argument that putting restrictions on passwords are not exclusively a good thing.

There are normally rules you need to follow when you create one, which are there to prevent dictionary-attacks. IE, You need at least 1 capital letter, at least one numeric and at least one non-capitalized letter.

If we say that there are 120 writable characters in a password, and the maximum number of characters you can have is 8, then the keyspace of the password should be 8^120.

I can see that the keyspace would be reduced when you impose limits on it, but by how much? How do I calculate the new keyspace given the restrictions I wrote above?

This is sort of an attempt at that:

There are 120 - 26 writable characters if you remove all capital letters. This gives 8^94 combinations which you can remove from the original keyspace? So with the only restriction being at least 1 captial letter, the new keyspace is 8^120 -8^94? That is a pretty hefty reduction on a brute force attack.

So hefty, in fact, that my logic must be flawed somewhere?

Anyone able to help me out and show how to remove all instances without a captial letter, a small letter and a number from the keyspace?

k

There are normally rules you need to follow when you create one, which are there to prevent dictionary-attacks. IE, You need at least 1 capital letter, at least one numeric and at least one non-capitalized letter.

If we say that there are 120 writable characters in a password, and the maximum number of characters you can have is 8, then the keyspace of the password should be 8^120.

I can see that the keyspace would be reduced when you impose limits on it, but by how much? How do I calculate the new keyspace given the restrictions I wrote above?

This is sort of an attempt at that:

There are 120 - 26 writable characters if you remove all capital letters. This gives 8^94 combinations which you can remove from the original keyspace? So with the only restriction being at least 1 captial letter, the new keyspace is 8^120 -8^94? That is a pretty hefty reduction on a brute force attack.

So hefty, in fact, that my logic must be flawed somewhere?

Anyone able to help me out and show how to remove all instances without a captial letter, a small letter and a number from the keyspace?

k

Last edited: