> Do people REALLY brute force all lowercase, all latin combinations up to 20 characters before trying symbols, uppercase and numbers?
Remotely? No. Locally? Yes.
If I have some hashes, I am going to be doing every combination of characters at least up to 8 digits. If they're using something bad like 3DES or MD5 then I can go up to 20 digits and check everything.
Remotely you're typically using a common password dictionary which is just a few thousands passwords people often use. If you had a botnet you might be able to do every combination (I don't).
> I am very skeptical that the '3/4 complexity rules' approach is making systems meaningfully more secure.
Nor am I. I am more an XKCD-sentence password fan myself...
I really like entropy calculators. They're much more useful than broad generic requirements that actually reduce the set of potential passwords.
The entropy calculators that give people "prods" (so there are no requirements, just a traffic light system) are absolutely wonderful.
> I've never lost them to brute force. Every time it was because someone got inside a company and made off with the database
Which still requires brute forcing assuming the passwords are stored correctly. If it is something modern like PBKDF2 with a decent number of iterations (e.g. 10K rounds) it can be a nightmare even if your password is "just" 8 digits.
> If complexity rules don't add anything, they should be discarded in the name of usability.
Agreed. They aren't even based on any research, someone in the 1980s just thought they "sounded" secure. Nobody has spent any time actually researching this, we just repeat the same tired advice from thirty years ago because "common sense" tells us it is a good idea.
Yes. Source: I have, multiple times.
> Do people REALLY brute force all lowercase, all latin combinations up to 20 characters before trying symbols, uppercase and numbers?
Remotely? No. Locally? Yes.
If I have some hashes, I am going to be doing every combination of characters at least up to 8 digits. If they're using something bad like 3DES or MD5 then I can go up to 20 digits and check everything.
Remotely you're typically using a common password dictionary which is just a few thousands passwords people often use. If you had a botnet you might be able to do every combination (I don't).
> I am very skeptical that the '3/4 complexity rules' approach is making systems meaningfully more secure.
Nor am I. I am more an XKCD-sentence password fan myself...
I really like entropy calculators. They're much more useful than broad generic requirements that actually reduce the set of potential passwords.
The entropy calculators that give people "prods" (so there are no requirements, just a traffic light system) are absolutely wonderful.
> I've never lost them to brute force. Every time it was because someone got inside a company and made off with the database
Which still requires brute forcing assuming the passwords are stored correctly. If it is something modern like PBKDF2 with a decent number of iterations (e.g. 10K rounds) it can be a nightmare even if your password is "just" 8 digits.
> If complexity rules don't add anything, they should be discarded in the name of usability.
Agreed. They aren't even based on any research, someone in the 1980s just thought they "sounded" secure. Nobody has spent any time actually researching this, we just repeat the same tired advice from thirty years ago because "common sense" tells us it is a good idea.