Password diversity

[Adam M. Dutko]

> One solution is of course checking how many different characters are
> present in the password and I have a quick patch which does that.

Nice

> - high enough to make the password strong(er)
> - low enough so that in case of brute force the number of possibilities
> for each character added remain high.

These seem reasonable. I think someone mentioned in a related
discussion about checking passwords against rainbow tables and forcing
a reset once the password is flagged as existing in a public table.
Maybe this would make sense considering it's now relatively cheap to
buy a decent rig with plenty of powerful graphics cards.

> So, do you have an opinion on the minimal amount of different characters
> a password should have ?

I think this is tough to answer without falling back on the old
statement of ... "it depends." High character count, diverse character
sets (letters, numbers, symbols, etc) and mixed case are all important
but I wonder how we can balance this with usability? Should we require
people to use a password management tool so they can accommodate our
complexity rules? Maybe it's a good idea but I for one wouldn't like
it.

For example, who can say whether a 20 character password comprised of
5 symbols, 5 numbers, 5 upper and 5 lower is better than a 25
character password with a similar composition? I realize various
papers exist in this area of security and mentioned one earlier in the
year on the list. The one I highlighted concluded passwords are
becoming increasingly useless in light of raw computational power. It
always strikes me as odd that we strive to require complex passwords
with finite computations; such is our present reality.

It's a hard problem that requires complementary tools. Such tools
might include randomized login delays on failures (I think we do this
already), temporary account locking (on suspected brute force) and
etc.

The more characters the better, the more complex the better, and the
less predictable the better.

Just my two cents.