Timeline for philosophical: restricting the password space increases security

Current License: CC BY-SA 3.0

12 events

when toggle format	what		by	license	comment
Aug 2, 2018 at 12:31	answer	added	Tom		timeline score: 0
Mar 20, 2016 at 16:28	vote	accept	pavlak11
Mar 19, 2016 at 12:19	comment	added	user49075		There is a password with a good reason for not being allowed: the empty string. That way, if the password field is left empty, then the provided "username" should not be stored.
Mar 19, 2016 at 2:37	comment	added	Neil Smithline		The second scheme can produce passwords like 'pass12'. A top 250 password. Very bad.
Mar 18, 2016 at 22:34	comment	added	Stack Exchange Supports Israel		The average entropy decreases, but the entropy of the weakest passwords may increase.
Mar 18, 2016 at 21:15	history	tweeted			twitter.com/StackSecurity/status/710937691152633857
Mar 18, 2016 at 20:53	comment	added	Jeff Meden		Guaranteeing that a password has chars from both groups does nothing to resist brute forcing attacks. If the attackers are brute forcing and try the all numbers first, then all letters first, then the rest, they are simply ordering the way they exhaust the password space, not make it any easier to get to the end (which statistically is the only point). Why not just use the first method and throw away any output that doesn't have at least 2 letters and at least 2 numbers?
Mar 18, 2016 at 18:55	answer	added	TTT		timeline score: 15
Mar 18, 2016 at 18:19	answer	added	Mike Ounsworth		timeline score: 11
Mar 18, 2016 at 18:18	comment	added	AdHominem		The second scheme will not be more resilient to brute force than the first one, it just ensures that users won't be able to get really bad ones. If the implementation is leaked it would even be magnitudes easier to brute force. Guaranteeing that a password has at least x of a certain type has to be a property of the char set, not a decision.
Mar 18, 2016 at 18:11	review	First posts
Mar 18, 2016 at 18:23
Mar 18, 2016 at 18:08	history	asked	pavlak11	CC BY-SA 3.0