Why Asus new Password security policy is ridiculous

[jzchen]

10^10-10^9-10^8-10^7-10^6-10^5-10^4-10^2-10^1-10^0=
8 888 889 889

That's a lot, and just if limited to 10 character passwords 0-9...

 

[Poul Bak]

OK, thanks for the clarification. It looks like you might be misremembering some key details of what you read because, given a specific character set as the domain (e.g., 7-bit ASCII printable chars), increasing the length of a password always has a significant impact on password entropy (more so than the complexity of the string), and therefore, increases the password strength. IOW, a password length is considered to be the primary factor (although it's not the only factor) for increasing a password strength.

I think @Merlin was talking about hashing a password, then it's correct.

Here is the standard equation used to calculate password entropy:

E = log₂(N^L)

Where E is the entropy in bits, L is the length of the password, and N is the size of the character set.

Your formula is correct when there's no restrictions.

With restrictions the N is no longer a constant value. It depends on the position in the string and the characters to the left,

For instance, say you're brute forcing a 10 character password. The first 7 characters are lower case letters. Now the rest can't possibly be lower case letters, no need to check. Here you're actually shrinking the allowed character set for the last three characters, making the formula incorrect.

Believe me, that's built in in professional software.

 

[majika]

IMHO enforcement of password policies are a good thing.. even though by creating this policy its now weakening the whole process as now we have one metric more than before in Brute Forcing this account. Fail2Ban will only take us so far.. With unlimited resources and time along with cheap hash rate (hashcat) and the ability to quickly spin up and destroy instances (IPs)
IP Blocking alone will only take you so far DDoS added to the equation..

A related and interesting read on this topic

Brute-force attack mitigation on remote access services via software-defined perimeter:
URL: https://www.nature.com/articles/s41598-025-01080-5

 

[Unisoft]

Length. I don't remember exact numbers because I've read that years ago, but I remember an article mentioning that past a certain number of characters, there was very limited gains in password strength. Someone with better understanding in crypto than me would better be able to explain this, crypto has never been an area of expertise for me. Too much maths for my taste.

Its generally accepted as 15 in security circles. Complex non dictionary words, and at least 15 in length. At 15 and over its incredibly difficult.