i'm not arguing just to argue, i'm trying to provide a view that isn't often discussed or considered on how usernames and credentials can be made more secure which is the root of the whole post, making a users login harder to know.   of course the more entropy you add to a password makes it harder to guess, i've never said otherwise in any of my statements. what i'm trying to say is that allowing special characters is not the only way to make a login more secure and shouldn't be considered a requirement. ... View more

"If you have a X character long password without special characters and one without special characters the time to brute force is significantly longer." That's not entirely accurate, you're assuming too much when trying to solve for this. This is only true if you know what to look for and limit the characterset during the brute force. If I have a list of encrypted passwords, the character set is known to be 95 characters let's say, I will have just as much chance finding a password with just lowercase letters as one with all combinations of character types. Of course that also depends on how the brute force code iterates through finding matches. If it first tries all lowercase, for example, it will find it faster than one with more character types. ... View more

I'd feel more secure knowing my password in 1111111111111111111111111111111111111111111111111111111111111111 compared to (n4k7#L! any  ... View more

as you mentioned, having a larger pool of character as part of the potential options absolutely adds to the strength. this is why all unicode characters (160k+) should be supported and then a 4 character password takes drastically longer having ~6.5E+20 permutations than the 8 character upper/lower/number/special combination typically having just a pool of 95 characters with just ~4.90E+15 permutations. ... View more

when requiring these special characters and complex passwords, sites reveal how I'd go about building a smarter algorithm to crack these passwords. when listing the requirements like the cisco site does ( 1 uppercase, 1 lowercase, 1 number, 8 to 60 characters, english characters: A-z, 0-9, @, -, _, or ., cannot match your email address or User ID) I now can limit the scope of my brute force attack massively reducing the time it takes to go through the initial list of all possible combinations.   having a unique email/username to every site absolutely adds to the security. if I had my email and password stolen from a site not using modern password system, and let's be honest, not many do, having a unique email/username on every other site means I can't take those known credentials I now know and now use them on another site.   ... View more

of course when you look at brute forcing a password, 8 characters of more symbols available reduces the time to crack that. you're only thinking of this technical aspect though. the most recent nist recommendations also support removing the complexity component and enforcing more length along with a list of known bad passwords list. and remember that most 2fa isn't really secure as it's mostly defaulting to sms or not allowing sms to be removed.   One of the main points about increasing password length is how much easier is it for people to use and remember longer password. As per this study, a "comprehensive8" policy is the most challenging and also most likely to be written down on paper. http://users.ece.cmu.edu/~mmazurek/papers/chi2011_passwords_people.pdf   Study participants experienced the most difficulty with the comprehensive8 requirements from beginning to end. Only 17.7 percent were able to create a password that met all of the requirements in the first try, compared to well over 50 percent for the rest of the conditions. Twenty-five percent of comprehensive8 testers gave up before they could even make a password that satisfied the requirements, compared to 18.3 percent or less for other conditions. Over 50 percent of comprehensive8 participants stored their password either on paper or electronically, compared to 33 percent for those with the 16-character minimum and less for the rest of the conditions. ... View more

I do find that not allowing special characters is unusual, but they don't make a password more secure. making the password longer is the best options. if the db of stored passwords is compromised and encryption keys stollen, key logger, etc then neither are relevant really. the idea of having a 'strong' password I think is a myth. If you think of it, emails are also part of your password and should be unique as well. when a site has been compromised and emails and passwords obtained, as the owner of this info I can now use your email and password on all of the most popular sites to see if I get a match. Keeping your emails, username and passwords unique increase the likely hood that credential from one site can be used on another.   I later checked my cisco pwd and it does contain special characters so I'm curious to know if this is just for new accounts being created. I've had mine since 2014-11-01 ... View more