<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 7, 2022 at 5:26 PM Kent Borg <<a href="mailto:kentborg@borg.org">kentborg@borg.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 9/7/22 14:07, Phillip Hallam-Baker
wrote:<br>
</div>
<blockquote type="cite">If
rate limits are an acceptable control, there would have never been
the need to introduce the stupid special characters in the first
place. If Mallet is limited to 5 tries in an hour, Alice could use
a simple password with little risk.</blockquote>
<p>I think there are decent arguments that all those password format
rules <i>are</i> pointless. Though I do grudgingly admire them as
a way make it a little more difficult to recycle passwords, as a
password that satisfies one set of rules often doesn't satisfy the
next set.<br>
</p>
<p>My ATM card has a 4-digit PIN. Certainly the PIN isn't the only
security measure in play, but as part of the larger system can
work quite well. Somewhat smaller than 2^80, too.</p></div></blockquote><div><div class="gmail_default" style="font-size:small">The PIN is not the primary authentication factor, the card is. The PIN is merely a secondary factor to reinforce the first. So it doesn't have to be 2^80 secure.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Now in the US, the card is not much of an authenticator as the information on the strip is easily guessed for many banks. But France has had smart cards for ATM cards for decades.</div><br></div><div><br></div><div> </div></div></div>