I am trying to calculate the impact on the overall password complexity of a specific (and questionnable) password criteria.
Lets say that a user has a username of 8 characters (lowercase and upper) and has to choose a new password. The password criterias are the following :
-8 or more characters.
-At least 1 number [0-9].
-At least 1 Uppercase [A-Z].
-At least 1 lowercase [a-z].
-The password must NOT contain 3 or more characters (consecutive or not) from the username. This is the criteria bothers me.
For example, if a username is "MRSomeone", his password "Smnabc12" would be rejected because it contains S+m+n.
I know this last criteria lowers the possible password space, but how to calculate precisely it's effect (with this criteria vs. without) ?
The best anwser i've come up so far :
Hypothesis :
Username is 8 distinct characters (Abcdefg)
Password is 8 character long (upper, lower, numbers)
Character space : 62 characters (26 lower, 26 upper, 10 numbers)
Calculations :
Total combinations without criterias : 62^8 passwords (218 340 105 584 896 combinations)
Total combinations with criterias : 62*62*54^6 passwords (95 311 639 021 824 combinations)
Explanation :
First two characters are unrestricted, they can be of any value (62 possible values). Following 6 characters cannot be part of the username (62 - 8 = 54 possible values).
Conclusion
In conclusion, with this hypothesis, this criteria reduce the number of passwords by 43,65% ((95 311 639 021 824 / 218 340 105 584 896) * 100) .
Bonus :
With any scenario, I can exclude the following combinations which would not be complex enough and rejected :
All numbers : 10^8 combinations
All lowercase : 26^8 combinations
All Uppercase : 26^8 combinations
Only Uppercase and numbers : (26+10)^8 combinations
Only Lowercase and numbers (26+10)^8 combinations
Only Lowercase and uppercase : (26+26)^8 combinations