If a password consists of all characters of the same class except possibly for the first or last characters, then: if they are all digits, then log(10) bits of entropy per character. If they are all uppercase or all lowercase, then log(26).
If there is a capital letter in a place other than at the beginning, or a number or punctuation other than at the end, then log(95) per character.
Some corner cases remain to be specified.
Then, simply require a certain amount of entropy (thus defined) in users' passwords. Users can choose whether to use a long password with little entropy per character or a short one with lots of entropy per character.
Perhaps forbid characters which cause the underlying data storage or UI to become confused (e.g., space).
Consecutive repeated characters count as 1+log of the repeat count.
No comments :
Post a Comment