Chris recently complained about the phenomenon of services requiring you to enter all sorts of weird characters in new passwords before accepting them. We both remarked about how this is amusingly potentially less secure than allowing the user to select whatever password they want. Why is that so?
Making the assumption that people will select "good" passwords (and this assumption is utterly incorrect, which is why the services make you put crazy things in your passwords), you have a specific number of combinations of characters that a password can consist of. Restricting one of the characters used in your password to a specific character, you've actually reduced the number of combinations. Let's try a synthetic example.
Suppose that you are to create a 3-digit password from the characters "a,b,c". The number of combinations you can assemble these character in is:
(the number of character options) ^ (the number of characters used)
In this case, 3^3 or 27 different possible passwords. Now, if I told you that one of the characters had to be an "a", that would significantly reduce the number of combinations to 19.
Using more characters in the combination makes the reduction in options even more significant. And if the password system requires you to use, say, "at least one number and at least one symbol" that reduces the namespace even more.
Granted, the goal of such systems is to get you to select a good password, primarily something that isn't going to be found using a dictionary attack, where a hacker runs through a list of common words and attempts to use them as the password. But a user should have the option to create a password that does not meet these arbitrary criteria if the password is otherwise "good", since it would be outside of the typical "pick at least one of these" set of passwords.
Oh, while I'm on the topic... Your password that so cleverly converts letters into their numerical counterparts? Yeah, everybody does that. The only reason you don't know that everyone does that is because people don't share their passwords to have this collective intelligence. I know that everyone does this because I have access to passwords on systems that I didn't make up.
You should realize that it's just a matter of time before the dictionary attacks include both "password" and "passw0rd". They probably already do. You're probably already hacked. Go change your password now.
Or, as Chris says, "Nevermind, I'll change it for you."
The Air Force requires, for their IM thing (guest login of course) that your password have two capital letters, two lower case letters, two symbols, two numbers, and be at least 9 characters in length. It's quite annoying :) I can't remember my password, ever, so I have to reset it every time I want to login, ha.
We're implementing mandatory "strong password" complexity at work, where some folks have used the same (weak) password for nearly a decade. It is understandably hard for them to select a seemingly random collection of characters that they can remember.
I've lately begun encouraging people to use a sentence, rather than a password. A sentence satisfies our complexity requirements: minimum 8 characters, it starts with a capital letter, and it ends with punctuation (non-alphenumeric). The presence of spaces is also helpful. "I hate this password!" and "I don't like the password policy." are both satisfactory for our system, as well as easy to remember but not exactly likely to exist in an attacker's dictionary.
So far, the folks I've suggested this to have responded well, and I haven't had to reset many passwords. The folks that insist on trying mnemonic devices to remember some incomprehensible string of characters have had their passwords reset several times already.
Sentences are certainly better than a simple 8-letter password. What is unfathomable to me are the places that insist on "evaluating" your password choice in this way, but then limit you to 10 characters total.