Following good security practice I recently went through the process of changing my passwords. I started off this exercise by changing my ISP account password. So I went through the process, entered my strong password, and logged out to try out the new password.
Next, I tried to log on with my new password but I got an invalid account or password message. As happens to common mortals I thought, oh I must have entered the new password wrongly. So I tried again carefully typing in every symbol. Same result same frustration.
To cut a long story short what should have taken me a minute to do ended up as an energy sapping 30 minute call with support. The thing is these guys, quite rightly I must say cause this is the case 99% of the time, assume that whoever is calling is yet another my computer is not working yet the power is out at my home kind of guy. So they start asking you basic questions such as is your modem on, did you change your network connection password etc etc. What is wrong though is the fact that they seem to follow a script without any kind of creative thinking on their part.
I mean, if the guy calling support sounds competent enough you should cut the run of the mill support questions and get to the real meat. Well, after convincing this guy that I knew what I was talking about he asked me whether I used mixed case letters in my password. My reply, after recovering from the neural shock of realising where this guy was going, was of course I did. What kind of password would use only small case letters only.
His reply to that was even more shocking. The password you specify is converted to all lower case he said. I assume they do this to make it simpler for single celled organisms to log on. Two things are very bad with this “policy” if you can call it so.
First of all let’s assume that this is a good idea. I think you should write a bold flashy note somewhere in the change password page so that users who are security conscious and use a mixed case password do not fall into this trap.
Secondly, and more importantly, who would take such a stupid decision. If a user chooses a weak password due to ingorance in the subject or pure naïveté that is one thing, but having a policy in place that drastically reduces the strength of a password is quite another.
A simple example will suffice to get my point across to the uninitiated in the subject. Let’s assume that the password can contain only the letters ‘a’ and ‘b’. For a single character password you have two possibilities, for a two letter password you have 4 possibilities (permutations), ‘aa’, ‘bb’, ‘ab’, ‘ba’, assuming symbols can be used more than once.
So for a password of length 8 characters where only English alphabet letters (both small and capitals) are allowed and letters can be repeated we get (26+26)^8 = 53459728531456 permutations. In theory, a dumb brute force attack trying 500000 passwords per second would take roughly 3.3 years to try all those possible passwords.
Now, by limiting your alphabet to only small case letters, for the same scenario we get these results.
26^8 = 208827064576 permutations. The same dumb brute force attack would take 4.8 days to try all possible passwords.
Clearly this is not a good choice to take. Sometimes I really wonder what was the rationale behind such decisions, assuming there was one in the first place.
Let me know what you think