>>>>>>>>>>We had a discussion recently in the team about the length of what a password should be. Some would say the longest is the better. Well, while this may be good as an answer, I would be curious to know, before encryption, what is the length you usually have in your application for the member's table password.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>I'd go for at least 6 chars. You can ask for eg at least one upper case char, two lower case, one digit, .. Such a test is easily done with a Regex
>>>>>>>>
>>>>>>>>Just vaguely wondering about the maths of password strength. Say you have a simple two character password. If you stipulate that one must upper case and one must be lower case then you are actually reducing the number of available combinations to 26x26 rather than the 52x52 which would otherwise apply :-}
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>In that case (one upper and one lower) there are 26 * 26 * 2 possibilities ( or 52 * 26) since you can start with either upper case or lower case
>>>>>>
>>>>>>But still not as many as if 2 lower or two upper were also allowed.
>>>>>
>>>>>
>>>>>True - but if you say at least 6, with at least one lower case and at least one upper case, then the possibilities of two (out of the 6) chars are reduced to 26. And you still have to figure out where they are
>>>>
>>>>True. But if I'm trying to crack a password I still have less combinations to test if I know that at least one of the characters is upper case and at least one is lower case.
>>>
>>>
>>>I'm curious now
>>>
>>>Say 6 chars with at least one upper and at least one lower
>>>
>>>6 chars upper/lower is 52 ^ 6
>>>
>>>4 chars upper/lower, one lower, one upper
>>>
>>>is more than 26^2 * 52^4 ( since the place of the upper/lower ones are not fixed) but less than 52 ^ 6
>>>
>>>
>>>(1) How would you go about cracking the password ?
>>>
>>>(2) How many possibilities would you say there are ( have tried myself but ended up with more than 52 ^ 6)
>>
>>Aw, I don't know. You're making me think more about this than I intended and it's supposed to be a holiday :-}
>>But my premise remains true - the more restrictions you place on a password's contents the less options I have - and less combinations need to be tested to break it.
>
>
>So sorry - I could not figure it out - so I thought you might

I didn't get past thinking that a six character with at least one upper and one lower would be 52^5*26 rather than 52^6 (and even that might be wrong)
If at least one number needs to be present that might make it 52^4*26*10.

>>I guess that phycology plays as much a part as maths in this and am prepared to assume that better brains than mine have decided that imposing restrictions does, for the average user, result in stronger passwords...
>
>
>I don't see the link with phycology

For example : given a rule that the password must contain one upper case letter I'd bet ~80% would make the first character the upper case one.

Might be interesting to play with a brute force algorithm. Might be that the extra logic to skip invalid combinations would have more overhead than assuming all combinations were valid and going for a simple fast loop.....