Password set/change error reporting
john at iastate.edu
Fri Apr 4 15:23:53 EST 2003
> Personally, I don't like to go into a lot of detail about
> why passwords weren't acceptable. Telling users that
> passwords must be 8 characters or more is (I think) more
> or less a guarantee that most users will pick passwords
> that are *exactly* 8 characters. I'd rather give them
> a less specific error, like:
> Your password was too obvious
> than something that encourages people to stick right
> at the limit of the program's pickiness:
> Your password must be 8 or more characters and contain
> at least one non-alphanumeric character.
> ( which probably guarantees most passwords will be exactly
> 8 with exactly one non-alphanumeric... )
I had assumed this as well until I tested my assumption.
I modified our Kerberos server to log the classes of passwords as
they were set. For example, if you set the password '1roolZ!'
I logged '9aaaaA#' (9=numeric, a=lower, A=upper, #=special)
and then after a while I looked at the kinds of passwords
people were choosing and the vast majority were stronger
than what we were requiring (in both length and complexity).
Of course, if you were changing your password at all you
were probably at least a little bit self-selected for caring
about security (since we don't yet have password expiration).
More information about the krbdev