The only requirement back then was, was that the password had a minimum length of 12 characters.
Apparently this has changed since then, since, when I tried to set up a new account today, I was told that the password needed to include at least 1 number.
To the regular person, this might sound like an improvement, but in reality passwords that contain numbers are barely any safer than passwords without them.
Passwords with numbers and/or special characters in them are just more prone to being mis-typed or forgotten by the owner.
The minimum password length for a LastPass master password is 12 characters. Let's assume it also needs to include at least 1 special character, 1 number and 1 upper- and lower-case letter.
I'll have you know that the password I tried to set (without any numbers or special characters, but with lower and uppercase letters) contained over 30 characters spread over more than five words.
Now let's compare these two:
- Most people choose the special character in their password from a rather limited set of... let's be generous and assume this set contains 20 characters.
This makes the number of possibilities for any character in the LastPass password 20 + 10 + 26 + 26 = 82 different characters.
82^12 = at least 9.24 * 10 ^ 22 possibilities for the complete password. - Let's assume that my password of 30 characters only contains lowercase letters, so only 26 different characters
26^30 = at least 2.81 * 10 ^ 42 possibilities for the complete password.
That is 3 * 10 ^19 which is 30.000.000.000.000.000.000 times as many possibilities. It's almost the square of the number of possibilities of the 12-character, many-possibilities password.
Now I said that My password contained more than 5 words that you are, arguably, able to find in an English dictionary.
The Oxford English Dictionary lists +- 171.500 words. The average length of English words is +- 5.1 letters, which would lead to passwords of 30 characters having +- 6 words on average.
171.500^6 = at least 2.54 * 10 ^ 31 possibilities for the complete password.
So that'd make the password less safe if it only contained officially spelled English words, but still way safer than the 12-character, many-possibilities password.
What we observe here is that:
1. Adding more possible characters does increase the safety of the password.
2. Increasing the length of the password seems to be way more effective than increasing the number of possible characters.
- If increasing the number of possible characters by x results in n possible passwords, increasing the length of the password by x, seems to results in +- n^2 possible passwords.
4. A password cracking algorithm would probably have an easier time cracking a password with only correctly spelled English words.
So that is why I wonder why numbers suddenly became a requirement (again).
Is it a legal thing or something? Because if anyone should know about this stuff, I'd expect it to be the people from LastPass.
Since LastPass remembers all other passwords for you, the only password users really need to remember themselves and NEVER EVER forget, is their LastPass password.
This is why I opt for a requirements system for passwords in which the minimum password length depends on the number of optional requirements that are fulfilled.
Optional requirements:
- Capital letters
- lowercase letters
- numbers
- special characters ("!", "?", "@" etc.)
- very special characters ("(", "{", "[", "¿", etc.)
[/list]
1. 32
2. 22
3. 16
4. 12
5. 10
So, for instance, if someone uses only lowercase letters, numbers and special characters in their password, their minimum password length is 16 characters.
What are your thoughts on this? Please let me know.
