>>>>>>>>We had a discussion recently in the team about the length of what a password should be. Some would say the longest is the better. Well, while this may be good as an answer, I would be curious to know, before encryption, what is the length you usually have in your application for the member's table password.
>>>>>>>
>>>>>>>
>>>>>>>I'd go for at least 6 chars. You can ask for eg at least one upper case char, two lower case, one digit, .. Such a test is easily done with a Regex
>>>>>>
>>>>>>Just vaguely wondering about the maths of password strength. Say you have a simple two character password. If you stipulate that one must upper case and one must be lower case then you are actually reducing the number of available combinations to 26x26 rather than the 52x52 which would otherwise apply :-}
>>>>>
>>>>>
>>>>>
>>>>>In that case (one upper and one lower) there are 26 * 26 * 2 possibilities ( or 52 * 26) since you can start with either upper case or lower case
>>>>
>>>>But still not as many as if 2 lower or two upper were also allowed.
>>>
>>>
>>>True - but if you say at least 6, with at least one lower case and at least one upper case, then the possibilities of two (out of the 6) chars are reduced to 26. And you still have to figure out where they are
>>
>>True. But if I'm trying to crack a password I still have less combinations to test if I know that at least one of the characters is upper case and at least one is lower case.
>
>
>I'm curious now
>
>Say 6 chars with at least one upper and at least one lower
>
>6 chars upper/lower is 52 ^ 6
>
>4 chars upper/lower, one lower, one upper
>
>is more than 26^2 * 52^4 ( since the place of the upper/lower ones are not fixed) but less than 52 ^ 6
>
>
>(1) How would you go about cracking the password ?
>
>(2) How many possibilities would you say there are ( have tried myself but ended up with more than 52 ^ 6)

Aw, I don't know. You're making me think more about this than I intended and it's supposed to be a holiday :-}
But my premise remains true - the more restrictions you place on a password's contents the less options I have - and less combinations need to be tested to break it.

I guess that phycology plays as much a part as maths in this and am prepared to assume that better brains than mine have decided that imposing restrictions does, for the average user, result in stronger passwords...