This is why, for my lab's password changer, the requirement for short passwords is simply that it must have one upper, one lower, one digit, and one none-of-the-above (and be at least 8 characters).

If you have a long password (at least 16 characters), all other requirements are waived so that you can use passphrases.

Wow, sanity in password requirements? Do they also avoid the silly mandatory 30-day password change?

I hope so; that's annoying and counterproductive.

Forcing one or more digits has little value. You are better off with 1 uppercase one lower case and 2 non alphabet characters. (Users are very likely to be replacing a letter with 1,0 so 2options * 8posistions = 16 possibility's = fail.)

Which is exactly the sort of terrible rules xkcd is criticizing (paraphrasing glenra).

Instead of 4 extra enforcements you could add 8 extra characters.

Your entropy is (somewhat simplified)

One 8 letter word: 15 bits

1 uppercase = 3 bits (or even just 1 bit, people capitalize the first letter)

reversing 2 rules above: 1 bit

replacing two characters at random places: 8*7/2 = 4.8 bits

inserting 2 random non alphabet characters: 40^2 = 10.6 bits Total: 34.4

The entropy of three medium difficulty words is log(4000^3) = 35.9

Instead of memorizing K!ybo4rd it could be mykeyboardisblue.

The requirement for many of my website is simply that it "must not consist solely of lowercase letters". (as well as a minimum length).

>must not consist solely of lowercase letters

Which is exactly the sort of terrible restriction xkcd is criticizing.

A space is not a lowercase letter, so the xkcd password would pass my test.

Then the space would be "the obeisance to the stupid website piece". Note that the entropy of "correct horse battery staple" is only one bit more than "correcthorsebatterystaple".

Yeah, a lot of my passwords look like "securesecretpassphraseA1!"

There's the secure piece, and there's the obeisance to the stupid website piece.

I have a couple of domains registered with 123-reg.

To prevent unauthorised access to your account your password must contain 8 characters.

Wait, what? They're right, too. You can't have 7 characters and you can't have 9.

Yes a friend was complaining about that recently.

It's a bruteforcer's dream.

Hi

I work on behalf of 123-reg.

We are working on changing this in future control panel updates.

Regards,

Ricky

What could the reasoning behind those requirements possibly be?

Usually the symbols involved are used by SQL or some other layer, and the programmers insert the password directly into the query string because they don't know any better. This leads to SQL injection and other issues.

So rather than discovering the correct way to do things, they try to prevent you from using any characters that might be involved in an SQL injection.

In some cases the guys on the backend know what they're doing, but the requirement can still be passed down from on high from some manager who absorbed the practice from another project.

If anyone knew what they were doing the uncrypted password would be nowhere near a SQL statement.

They're trying to force users to use those characters in an attempt to enlarge the space passwords are drawn from. It doesn't work very well, of course. Instead of "password", you just get "Password1!". That said, I might make the same choice (for short passwords) if I were implementing password policy.

Edit: If you meant the "but not %, ^, &, or *" requirement, that's an indication that the devs don't know how to use prepared statements or at least escape properly.

Those requirements are there for the people who try putting just their name or "password" or their 4 digit ATM PIN as their password. For very short passwords, only having alphabetical (not even alphanumeric) passwords is terrible. Those requirements are there to prevent some really stupid passwords.

Covering your ass by disallowing passwords like "password".

No, I meant specifically why they would allow certain special characters and not others.