>I mean, I can imagine that a clueless user might have the illusion of safety if they're using something like "1q2w3e4r5t" but if I use "aaaaaaaaa" as a password on a website I know full well what I'm doing. So why even bother?
It's not an illusion, 1q2w3e4r5t is indeed better than aaaaaaaaa, even if it's just the numbers interleaved with qwerty (and probably easy to brute force generate up to it).
>if I use "aaaaaaaaa" as a password on a website I know full well what I'm doing. So why even bother?
Because not everyone who uses "aaaaaaaaa" (or "1q2w3e4r5t" for that matter) knows "full well" that it's insecure?
It's a password that I postulate is more secure that the average and yet is only made of two different symbols and would've been rejected by the proposed "x amongst y" character policy.
It's a bit far fetched but not that much, you'll notice that the pattern is simply the first digits of pi, so it's fairly easy to remember. And the letters are "Hn", like hacker news.
That's my point, really. If you think you know better than the user how to pick a password, then just do it. Otherwise don't get in my way, you don't know how I generate my passwords.
>That's my point, really. If you think you know better than the user how to pick a password, then just do it. Otherwise don't get in my way, you don't know how I generate my passwords.
Only they don't need to know how YOU generate your passwords. Just how most of their users generate their passwords. The suggestions and rules are not there to protect computer scientists from entering bad passwords...
zxcvbn (https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.ht...) gives it a score of 4/4 and an entropy of 10^20, meaning it would take centuries to hack at 10B a second. I think this is a slight overstatement of the security, because it's probably more along the lines of 50502^30 which is closer to 10^12. And this would be a legal password (but banned by the bullshit password rule).
I feel like the solution to everything in this thread is just to use zxcvbn and stop with the insane rules for things. In your two cases: the bank would disallow passwords below some limit while the blog would just show you a warning (in case you were ignorant of hacking enough to know that "aaaaaaaa" wasn't a good password), but let you use your awful password to spare you from having to remember it.
"COMMON PASSWORD: IN THE TOP 9635 MOST USED PASSWORDS
Your password is very commonly used. It would be cracked almost instantly[1]"
I do realise there's a difference between cracking a local system password vs a website password but always assume a site's database is going to be leaked at some point
> It's not an illusion, 1q2w3e4r5t is indeed better than aaaaaaaaa, even if it's just the numbers interleaved with qwerty (and probably easy to brute force generate up to it).
In this case, we're talking 'better' but still bullshit [1]. Calling it 'better' makes no meaningful distinction whatsoever in practice.
It's not an illusion, 1q2w3e4r5t is indeed better than aaaaaaaaa, even if it's just the numbers interleaved with qwerty (and probably easy to brute force generate up to it).
>if I use "aaaaaaaaa" as a password on a website I know full well what I'm doing. So why even bother?
Because not everyone who uses "aaaaaaaaa" (or "1q2w3e4r5t" for that matter) knows "full well" that it's insecure?