Monday, May 26, 2008 11:11 PM
Michael S. Kaplan
You want to know what's weak? Strong password rules, that's what's weak!
Regular reader Jan Kučera asked over in the Suggestion Box:
Hi,
Okay, this might be a little bit non-technical question, but... every day, somebody wants a _strong_ password from me. The best one would be of course kilometer long, with some crazy stuff like _-*!#$ in it.
Well, I have nothing against special 'symbols' in the password, but why on earth only ASCII characters are supported? I don't know how about eg. banks in USA, but for my short life I haven't found any web site allowing me to enter (um... support) unicode password.
Am I missing something fundamental here? :)
Jan
My experience has been similar to Jan's though slightly different:
- You can include pretty much any kind of character you want, but
- Characters outside of ASCII are not given appropriate consideration in term of overall complexity.
Thus when you look at MSDN topics like Strong Password Enforcement and Passfilt.dll, they say things like:
The following complexity requirements are enforced by strong password enforcement:
- Passwords may not contain your user name or any part of your full name.
- Passwords must be at least six characters long.
- Passwords must contain elements from three of the four following types of characters.
| Character types |
Examples |
| English uppercase letters |
A, B, C, … Z |
| English lowercase letters |
a, b, c, … z |
| Westernized Arabic numerals |
0, 1, 2, … 9 |
| Non-alphanumeric characters (special characters) |
$,!,%,^ |
| Unicode characters |
€, Γ, ƒ, λ |
Having a nod to Unicode seems nice, and it is a welcome addition to the world of password complexity.
But I have a hard time having four categories apply to a subset of the first 27 characters in Unicode and then having just one category apply to the other 65,000+ characters in the BMP.
The fact that
-
they would not be on most keyboards;
-
they would be difficult for most people to describe even if they saw the password over a colleague's shoulder;
-
these other 65,000+ characters all have different properties making them letters or symbols or numbers or non-characters
seems to not be considered.
Articles that put more verbiage and justification into the issue, like Strong passwords: How to create and use them, somehow just seem worse, with the only nod to the bulk of Unicode being isolated suggestions like
Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.
or
You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".
But say if I tried to make a password based on random Unicode characters, such as:
ফཛڰװෝܣ໓ᄝឲౠफ़ဏஇฬほᢎሄ
sites like the Microsoft Password Checker consider this password to be weak.
To me, this seems like an analogue to audio encryption that uses frequencies beyond human auditory ranges, and hardly "weak".
Unless the checking is done for sites that convert the string to the system default code page, which would turn most of these to question marks....
This blog brought to you by ཛ (U+0f5b, aka TIBETAN LETTER DZA)
