You want to know what's weak? Strong password rules, that's what's weak!

by Michael S. Kaplan, published on 2008/05/27 02:11 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2008/05/26/8554142.aspx


Regular reader Jan Kučera asked over in the Suggestion Box:

Hi,

Okay, this might be a little bit non-technical question, but... every day, somebody wants a _strong_ password from me. The best one would be of course kilometer long, with some crazy stuff like _-*!#$ in it.

Well, I have nothing against special 'symbols' in the password, but why on earth only ASCII characters are supported? I don't know how about eg. banks in USA, but for my short life I haven't found any web site allowing me to enter (um... support) unicode password.

Am I missing something fundamental here? :)

        Jan

My experience has been similar to Jan's though slightly different:

  1. You can include pretty much any kind of character you want, but
  2. Characters outside of ASCII are not given appropriate consideration in term of overall complexity.

Thus when you look at MSDN topics like Strong Password Enforcement and Passfilt.dll, they say things like:

The following complexity requirements are enforced by strong password enforcement:

Character types Examples
English uppercase letters A, B, C, … Z
English lowercase letters a, b, c, … z
Westernized Arabic numerals 0, 1, 2, … 9
Non-alphanumeric characters (special characters) $,!,%,^
Unicode characters €, Γ, ƒ, λ

Having a nod to Unicode seems nice, and it is a welcome addition to the world of password complexity.

But I have a hard time having four categories apply to a subset of the first 27 characters in Unicode and then having just one category apply to the other 65,000+ characters in the BMP.

The fact that

seems to not be considered.

Articles that put more verbiage and justification into the issue, like Strong passwords: How to create and use them, somehow just seem worse, with the only nod to the bulk of Unicode being isolated suggestions like

Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.

or

You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".

But say if I tried to make a password based on random Unicode characters, such as:

ফཛڰװෝܣ໓ᄝឲౠफ़ဏஇฬほᢎሄ

sites like the Microsoft Password Checker consider this password to be weak.

To me, this seems like an analogue to audio encryption that uses frequencies beyond human auditory ranges, and hardly "weak".

Unless the checking is done for sites that convert the string to the system default code page, which would turn most of these to question marks....

This blog brought to you by(U+0f5b, aka TIBETAN LETTER DZA)


# Cory Nelson on 27 May 2008 8:47 AM:

This is how I determine password complexity:

- remove any user info from it: username, first/last name, phone, etc.

- collapse any duplications: "abcabc" -> "abc", "foofoo" -> "fo"

- take what's left, and complexity = sum of distances between characters.

It aims to not only ensure a computer can't easily brute force it, but also to ensure it won't be trivial for a human to guess or remember from a quick glance.

It has worked well for me.  Works with and even rewards using Unicode.

# josh on 27 May 2008 10:38 AM:

There are five types of characters.  I love Big Brother.

# Bruce Rusk on 27 May 2008 10:39 AM:

One reason for not using Unicode passwords: if you'll be using multiple computers, including public terminals and mobile devices, you may not be able to enter a non-ASCII password.

# Michael S. Kaplan on 27 May 2008 11:06 AM:

Hi Bruce --

That is a reason to not use them; it is hardly an argument against the amount of complexity they add, though...

# Dean Harding on 27 May 2008 6:57 PM:

Bruce gives *a* reason not to use Unicode passwords, but it obviously doesn't apply to everybody -- it certainly would only apply in the U.S. and maybe a few other English-speaking countries, but even in Australia, most internet cafes support lots of different languages (we do tourists here...). And what about people who don't use public computers at all (personally, the idea of typing my bank password in a public computer gives me the willies)

I gotta agree with you on this one, Michael. When you look at the number of possible characters in each of those five "categories" you get 27, 27, 10, 50 (tops) and 65,000+. Something is funny there...

# Dean Harding on 27 May 2008 7:01 PM:

In fact, I'd probably go so far as to say that typing *any* password requiring "complexity rules" should not by typed into a public computer at all...

I know, sometimes you might not have a choice, but if it were me, I'd change my password as quickly as I can after doing it. If you're going overseas on holidays for example, you could change your password to a simple ASCII-based one before you leave, and then change it back to a strong one when I got back.


referenced by

2011/06/28 ●●●●●●●●●●●●●● isn't complex, no matter what the underlying language is

go to newer or older post, or back to index or month or day