The password requirement of a non-alphanumeric character is annoying and can't really help in the password world.
If someone wants to hack you they will.
Drop the requirement please.
Hi Robert - requiring non-alphanumeric characters improves the security of your password quite significantly - there has been a lot of research on this.
No it doesnt!
It just creates a culture of writing down ones password down or sticking it the computer monitor on a post IT note.
The application of forcing people to create non-rememberable passwords is counter productive. They either have to write them down or forget them completely
Thats my ten pence worth anyway
You make a good point Albert, one of my Christmas presents last year was a book called Against Security, which discusses the wider areas of security as a process and security as theatre and the importance of the human and cultural issues involved. However people can be taught to create easy to remember yet hard to crack passwords quite easily.
One of my fathers favorite jokes was that Albert Ramsbottom was fed up with his name and decided to change it to Fredrick Ramsb0tt0m-.
According to the how secure is my password site it would take a desktop PC about a year to crack the password Ramsbottom and about 4,000 years to crack the password Ramsb0tt0m-. However as I teach my students, most hackers are not evil geniuses and they will go for the low hanging fruit and walk around the desks until they find that handy little yellow sticky bit of paper.
Just add a dash to your password string. How annoying can that be?
That research is not very good research.
Google considering a FOB is about the only real password protection.
One more point, who is after my Moodle.org password?
You really think an @ sign will secure your password?
Added length could balance lack of special characters.
Mixing languages could help. Added length could help. Each should be an option. Allowing special characters makes the system as difficult as requiring them IMO.
Which is more difficult to crack?
The last 2 passwords mix languages and hide duplicate characters within a word by changing case. Whatever is used should be easy for humans to remember and difficult for computers to crack. Of course, the lazy man would choose A.
A case where special characters would probably aid crackers would be:
Some websites offer a heuristic analysis to determine password strength rather than a set of fixed requirements.
Ah, security vs. usability.
Your suggestion is a best of both worlds approach as people have to be taught how to create secure yet rememberable passwords.
At my last company I developed a relationship with the branch IT head. The company changed the admin password on a montly basis so he had no problem telling me what it was on the last day as he typed a lengthy string on my PC to authorize a system update. The company had no requirements except length. Employees were later encouraged to use extended phrases of personal meaning for thier own passwords. They are easy to remember and hard to breach with brute force. Perhaps not quite as secure against confidence schemes but I never saw post-it'ed passwords around the office.
The admin password he typed? "savethecheerleadersavetheworld"
For the record, I find the requirement of non-alphanumeric characters annoying. I also find the requirement of numerals annoying. I guess I'm hard to please...