# Effect of human nature on password rules

• Genius
• Posts: 13511
• Loc: Florida

3+ Months Ago

Assume for a second that nobody imposed rules like "must contain a number", or "must contain an uppercase letter" on passwords.

Take a password like "mydogsname". It's 10 characters long. for simplicity sake, assume passwords can contain a-z, A-Z, and 0-9, that's 62 (26+26+10) possible characters for each position in the password. 839,299,365,868,340,224 possible combinations.

If I impose a "must contain an uppercase letter" rule on passwords, I'm willing to bet the majority of people are simply going to change their password to "Mydogsname". Still 10 characters long, but instead of 62^10 possible combinations, I've removed 26 possible letters from one of the slots. Since the "M" in "Mydogsname" is the most significant bit, human nature reduces possible combinations from 62^10, to ((62^9)*36) or 487,335,115,665,487,872 possible combinations.

By imposing this rule on passwords, without taking into consideration human nature to keep things easy, I've cut the work required to "brute force", or "rainbow table lookup" the password nearly in half.

But, wait. I'm also willing to bet that the rest of the characters are going to be lowercase, since "one uppercase letter" is the bare minimum and the minimum is what most people do when it comes to rules.

So, that ends up doing for the rest of the letters in the password, the same thing as for the first letter. It cuts 26 possible characters from the password. Giving me 36^10 or 3,656,158,440,062,976 combinations. Significantly fewer combinations for my password to be "lost" in, than if this rule wasn't in place.

I keep seeing new rules being imposed on passwords, which means to me that the rules are not working as intended. I wonder if that's because they keep inadvertently shrinking the work required to guess the passwords.
• Gold Member
• Posts: 763
• Loc: Conroe, Texas

3+ Months Ago

Very intriging. But is someone bored or what?
• Genius
• Posts: 13511
• Loc: Florida

3+ Months Ago

I was a little annoyed that day, about how many people I know, who complained about the crazy rules websites apply to passwords these days. That, and I took Thursday/Friday as vacation days last week, so yeah, I was a little bored.

## Post Information

• Total Posts in this topic: 3 posts
• Users browsing this forum: Jessytoo and 1 guest
• You cannot post new topics in this forum
• You cannot reply to topics in this forum
• You cannot edit your posts in this forum
• You cannot delete your posts in this forum
• You cannot post attachments in this forum