Doesn’t this make your password more vulnerable as it gives a clue to what it is? Also if it’s not a word from a dictionary, why would it matter? Shouldn’t a pw like iilpipi technically be as secure as 11Lpipi?
In: 0
The idea is that it increased the entropy of the password. If you allowed just lowercase words, then you could easily breach a password with a standard dictionary attack (there are only about 170k words in English – a trivial amount for a brute force attack).
By forcing at least one of those to be a capital letter, you exponentially increase the number of possible passwords – even more so if you require numbers as well. **password** would show up in a standard dictionary attack, but **pa$sW0rd** would not – the attack would need to include millions of additional guesses to cover all of the permutations.
That all said, this is somewhat archaic advice. Password complexity requirements like this end up creating _less_ security, because people reuse or write down passwords they struggle to remember. Most security experts agree that passphrases are a better solution, particularly when combined with one-time passwords from TOTP apps.
Latest Answers