Question:
What would be the drawbacks of checking a password for keyspace instead of just checking for length and character classes used?
Details:
I've started to use phrases as passwords and more often than not I hit a wall with user-friendliness because password requirements block my passwords. Even worse, I've run into systems that have password length limits or don't accept spaces, etc.
For instance, take the standard password checker that wants at least 8 characters, 1 number, 1 uppercase letter, 1 lowercase letter and 1 symbol. If I want my password to be "stackoverflow is the best website ever" the checker would throw up an error yet the keyspace of my passphrse is significantly larger than the basic requirement.
"C0mplex?" => 6.0956893 × 10^15
"stackoverflow is the best website ever" => 2.4650347 × 10^54
As I've had to design systems like this myself, I've started to explore the idea of checking the keyspace size of the password and requiring a minimum keyspace instead of specific traits (as well as common/obvious password checks of course). This way, it doesn't matter if you use an 8-character mixed-symbol password or a 12-character case-insensitive alphanumeric password, they both pass the complexity check.
Any thoughts/caveats you guys can see?
