Password Quality

So, do you administer a system with general user accessing it? Your companies AD, online banking, launch codes? Do you require that passwords be "high quality" - in other words do you require that they be of at least a certain length and further require that they use non-alphanumeric characters in their password, such as numbers braces and the like?

In that case, I expect that most of your users are using 7 or 8 character passwords with the numbers 1 or 2 in them, typically at the beginning (for 1) or in the middle (for 2), if they are REALLY trixy they might be doing 133t letter for number substitution. If I guessed the length wrong, I might be able to figure out the minimum by getting an account and then choosing bad passwords until you tell me the rules. Once I know the rules, human nature helps me narrow down the field of passwords I should try in brute-forcing your accounts from the millions down to the hundred thousand or so that fit your more restrictive scheme.

What? You say your scheme isn't restrictive? It only insists on certain quality measures to insure that folks are using "password" or "qwerty" and they could be using 21 character passwords just as easily as the minimum 7. OK, I'm not interested in the folks using passwords like "afttr2U*sdfvS!&Ennadcczxza)0" If they can remember that, their head is too full of passwords for their account to have anything in it of interest. I'm interested in cracking the vast majority of accounts which will do the minimum required to pass your quality tests and end up with "g00d2g01" and then next rotation will choose g00d3g01. (OK, maybe you are doing comparisons to the last 6 passwords, that would help. You are doing at least 6 revs, right?)

My point is that the best password quality testing would actually just test quality and not announce the rules so much. Sure, a pure brute force will crack a 5 character password reasonably quickly, but who does pure brute force cracking anymore? Do you lock account out after some reasonable number of attempts? How long would it take to crack a 5 character password if you lock me out after every 5 tries and I have to either a) Wait for a timer to expire or b) wait for manual reset ??? Somewhere in the vicinity of a thousand years if the timeout is more than an hour or two, and I would hope that some time in the first decade of trying, you would notice that the account I'm attacking keeps getting locked out.

There are reasonably good safeguards to keep attackers from logging in using brute force cracking, which just leaves stupid password trying like "xyzzy" and "Passw0rd" which ANY good password quality test would reject. They way we're trying for quality right now is worse than annoying, it's counter productive in that if gives attackers more information about the password space that they would be cracking than we should be and encourages predictable passwords.