Why Asus new Password security policy is ridiculous

[jzchen]

10^10-10^9-10^8-10^7-10^6-10^5-10^4-10^2-10^1-10^0=
8 888 889 889

That's a lot, and just if limited to 10 character passwords 0-9...

 

[Poul Bak]

OK, thanks for the clarification. It looks like you might be misremembering some key details of what you read because, given a specific character set as the domain (e.g., 7-bit ASCII printable chars), increasing the length of a password always has a significant impact on password entropy (more so than the complexity of the string), and therefore, increases the password strength. IOW, a password length is considered to be the primary factor (although it's not the only factor) for increasing a password strength.

I think @Merlin was talking about hashing a password, then it's correct.

Here is the standard equation used to calculate password entropy:

E = log₂(N^L)

Where E is the entropy in bits, L is the length of the password, and N is the size of the character set.

Your formula is correct when there's no restrictions.

With restrictions the N is no longer a constant value. It depends on the position in the string and the characters to the left,

For instance, say you're brute forcing a 10 character password. The first 7 characters are lower case letters. Now the rest can't possibly be lower case letters, no need to check. Here you're actually shrinking the allowed character set for the last three characters, making the formula incorrect.

Believe me, that's built in in professional software.

 

[majika]

IMHO enforcement of password policies are a good thing.. even though by creating this policy its now weakening the whole process as now we have one metric more than before in Brute Forcing this account. Fail2Ban will only take us so far.. With unlimited resources and time along with cheap hash rate (hashcat) and the ability to quickly spin up and destroy instances (IPs)
IP Blocking alone will only take you so far DDoS added to the equation..

A related and interesting read on this topic

Brute-force attack mitigation on remote access services via software-defined perimeter:
URL: https://www.nature.com/articles/s41598-025-01080-5

 

[Unisoft]

Length. I don't remember exact numbers because I've read that years ago, but I remember an article mentioning that past a certain number of characters, there was very limited gains in password strength. Someone with better understanding in crypto than me would better be able to explain this, crypto has never been an area of expertise for me. Too much maths for my taste.

Its generally accepted as 15 in security circles. Complex non dictionary words, and at least 15 in length. At 15 and over its incredibly difficult.

 

[Martinski]

It’s maybe over my head indeed, but if the minimum length is 10 now and there was no restriction before, doesn’t that mean that a subset of previous possible combinations a hacker should try no longer need to be tested, making the search space smaller? (and thus a smaller entropy?)

You really have to take a moment to consider and clearly conceptualize the extremely large numbers involved when talking about the sum total of all possible password permutations that remain available, given the allowed range, the maximum limit, and the available character set.

Imagine taking two million gallons of water out of the ocean, and then worrying that the ocean now has less water for sailing. Yes, technically and physically, the ocean has less water than before, but the amount taken is so insignificant and negligible when compared to what remains available that, for all intents and purposes, the act is essentially meaningless - like taking a spoonful of water out of an Olympic-size swimming pool.

 

[Martinski]

I think @Merlin was talking about hashing a password, then it's correct.

Hashing a password has nothing to do with calculating the entropy of the password or determining the password strength. Each hashing algorithm is a one-way function that creates a fixed-length, unique digital signature that is mathematically tied to the password string from which it was generated, but that's a completely separate step, and it's actually independent of the original purpose of the raw data string being hashed.

Your formula is correct when there's no restrictions.

With restrictions the N is no longer a constant value. It depends on the position in the string and the characters to the left,

For instance, say you're brute forcing a 10 character password. The first 7 characters are lower case letters. Now the rest can't possibly be lower case letters, no need to check. Here you're actually shrinking the allowed character set for the last three characters, making the formula incorrect.

Believe me, that's built in in professional software.

You seem to be very confused or have no clear understanding of the purpose and technical definition of password entropy, and especially about how passwords are hacked using brute force or dictionary attacks. I'm not going to explain computational and information theory principles and concepts, or authentication algorithms, here in this thread. Suffice to say that, despite what you may see in some movies or TV shows, passwords are not hacked as if they were combination locks or old-style bank vaults where each turn of the rotating mechanism can yield a potentially valid entry while accumulating previously-found valid entries for the correct numeric permutation (and yes, technically it's a permutation lock, *not* a combination lock). In reality, each attempt at hacking a password, especially a properly-salted hashed password, is an all-or-nothing proposition - you don’t guess correctly, one by one, the first seven chars and then continue to work on the rest, LOL!!!

I don't know what your technical background is, but I'd advise you to read professional journals, white papers, or take a class at your local college or university to educate yourself more about this topic so you can at least dispel all your misconceptions.

 

[Martinski]

Its generally accepted as 15 in security circles. Complex non dictionary words, and at least 15 in length. At 15 and over its incredibly difficult.

I have a few friends who work in IT and cybersecurity (government & private sectors) whom I met through my job, and the overall consensus nowadays is that 15 chars is the bare minimum, especially when trying to secure access to sensitive data like financial accounts (e.g. banks, credit cards), health insurance providers, online shopping accounts (e.g. Amazon, Costco, etc.), personal and work-related email accounts, and even our home network gateways.

However, for network admins and people accessing highly sensitive/confidential corporate data, passwords are slowly being left behind in favor of 25-to-30-character passphrases (which are easier to memorize but still extremely difficult to hack), physical security keys, and SSH certificate-based authentication.

For example, at work, starting in 2018, we slowly began migrating all our SSH login authentication protocols to SSH certificates, which paid off big time when the COVID-19 pandemic hit in 2020, and remote work became necessary across the company, so both VPN and SSH for remote access were the norm.

In any case, the takeaway from all the discussions on this thread should be, IMO, that users need to make it much more - not less - difficult for anyone to hack their passwords. And you don't even need to memorize all your long passwords/passphrases; there are non-cloud, locally-stored password vaults and password managers that are free to use (no subscription necessary) and readily available to anyone willing to make the extra effort and take the time to learn better security practices.

 

[Treadler]

I have a few friends who work in IT and cybersecurity (government & private sectors) whom I met through my job, and the overall consensus nowadays is that 15 chars is the bare minimum, especially when trying to secure access to sensitive data like financial accounts (e.g. banks, credit cards), health insurance providers, online shopping accounts (e.g. Amazon, Costco, etc.), personal and work-related email accounts, and even our home network gateways.

However, for network admins and people accessing highly sensitive/confidential corporate data, passwords are slowly being left behind in favor of 25-to-30-character passphrases (which are easier to memorize but still extremely difficult to hack), physical security keys, and SSH certificate-based authentication.

For example, at work, starting in 2018, we slowly began migrating all our SSH login authentication protocols to SSH certificates, which paid off big time when the COVID-19 pandemic hit in 2020, and remote work became necessary across the company, so both VPN and SSH for remote access were the norm.

In any case, the takeaway from all the discussions on this thread should be, IMO, that users need to make it much more - not less - difficult for anyone to hack their passwords. And you don't even need to memorize all your long passwords/passphrases; there are non-cloud, locally-stored password vaults and password managers that are free to use (no subscription necessary) and readily available to anyone willing to make the extra effort and take the time to learn better security practices.

Yup, just search ‘password managers’, we’re spoilt for choice.

 

[Poul Bak]

Hashing a password has nothing to do with calculating the entropy of the password or determining the password strength. Each hashing algorithm is a one-way function that creates a fixed-length, unique digital signature that is mathematically tied to the password string from which it was generated, but that's a completely separate step, and it's actually independent of the original purpose of the raw data string being hashed.


You seem to be very confused or have no clear understanding of the purpose and technical definition of password entropy, and especially about how passwords are hacked using brute force or dictionary attacks. I'm not going to explain computational and information theory principles and concepts, or authentication algorithms, here in this thread. Suffice to say that, despite what you may see in some movies or TV shows, passwords are not hacked as if they were combination locks or old-style bank vaults where each turn of the rotating mechanism can yield a potentially valid entry while accumulating previously-found valid entries for the correct numeric permutation (and yes, technically it's a permutation lock, *not* a combination lock). In reality, each attempt at hacking a password, especially a properly-salted hashed password, is an all-or-nothing proposition - you don’t guess correctly, one by one, the first seven chars and then continue to work on the rest, LOL!!!

I don't know what your technical background is, but I'd advise you to read professional journals, white papers, or take a class at your local college or university to educate yourself more about this topic so you can at least dispel all your misconceptions.

You sure like to kill the messenger when you disagree. In this case you (deliberately?) misunderstand what I said:

For instance, say you're brute forcing a 10 character password. The first 7 characters are lower case letters.

I did not say that the program KNEW the first 7 characters. Just that it reached a step in its iteration where the first 7 characters are lower case letters. In that case it can skip all iterations where one of the last characters are lower case letter.

You insist on saying that restrictions does not give fewer permutations (and lower entropy).

I will now provide some very simple math that should be impossible to misunderstand:

Lets say, you have a 2 character password consisting of numbers.

First WITHOUT restrictions:

1. character: you have 10 possible values.
2. character: you have 10 possible values..
P = 10 * 10 = 100
(so far I think we agree)

Now we add a restriction: No consecutive numbers.
1. character: you have 10 possible values.
2. character: you have only 9 possible values. (you can't choose the same character again)
P = 10 * 9 = 90

90 < 100 (P is less by applying restriction!)

If you answer, don't write a novel, simply prove my math is wrong (without killing the messenger).