Sujet Les images qui tordent (ou pas)

Complex password is the one where silly developers ask the user to enter something like one upper case letter, one number, and sometimes even one special character. In their minds, this for example is a secure password:

5-Nope!
It has a number, two special characters (minus and exclamation mark), and one upper case letter. Let’s do basic math now.

In each slot we can put 52 letters (upper + lower case), 10 numbers, and about 12 commonly used special characters. That is 74 different options for each slot. Hell, let’s round that up to 80.

By forcing the user to enter a minimum of 7 characters, this gives us a minimum of (80ˆ7):

20 . 971 . 520 . 000 . 000

password variants.

Now, let’s see what “insecure” password would give us. Say we allow only upper and lower case letters but we increase minimum by one, to eight characters. In each slot we can put 52 characters, this would give us (52ˆ8):

53 . 459 . 728 . 531 . 456

See? 53 trillion versus 21 trillion. A password which is easy to remember because user does not have to fiddle with pesky characters is actually safer and harder to brute-force hack.

Le problème, c'est les attaques par dictionnaires. Dans ce genre d'attaque on teste tous les mots de la langue française (et/ou anglaise) et il n'y en a pas tant que ça... Si on donne la possibilité de ne choisir que parmi des mots de 8 caractères à coup sûr les utilisateurs vont choisir en majorité des mots du dictionnaire. En obligeant à mettre un caractère spécial on est sauvé.
https://xkcd.com/936/