<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 9/7/22 14:07, Phillip Hallam-Baker
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMm+LwgLu35BD2ZfwCm=ma27vzDqzMoseiuxFe7Xq6STabBUnQ@mail.gmail.com">If
rate limits are an acceptable control, there would have never been
the need to introduce the stupid special characters in the first
place. If Mallet is limited to 5 tries in an hour, Alice could use
a simple password with little risk.</blockquote>
<p>I think there are decent arguments that all those password format
rules <i>are</i> pointless. Though I do grudgingly admire them as
a way make it a little more difficult to recycle passwords, as a
password that satisfies one set of rules often doesn't satisfy the
next set.<br>
</p>
<p>My ATM card has a 4-digit PIN. Certainly the PIN isn't the only
security measure in play, but as part of the larger system can
work quite well. Somewhat smaller than 2^80, too.</p>
<p><br>
</p>
<p>-kb</p>
<br>
</body>
</html>