Few things are more annoying than passwords. In theory, they’re fantastic. You keep a secret locked away in your super-computer-brain, and nobody else knows what it is, then you use that secret to prove that you’re who you say you are. Brilliant.
Except that, in reality, passwords are beset by several tough problems. First and foremost, you don’t have any control over what the website you plug your password into does with it, so using the same password for everything is foolish. That means that instead of having to remember one password, you have to remember a bunch of them and what services and websites they match up with. Don’t write them down, either, or someone with physical access to your space could steal them!
Those are all problems with passwords before individual sites get into the mix with their own restrictions. Some of these make sense; it’s almost pointless to have a two-character password, after all. Others of them are just silly: why should there be a limit on how long the password can be? Or what characters I can put into it? Then we have the myriad restrictions on how complex the password can be and how often you can repeat them.
The first group of problems are all going to be around for as long as we have passwords, but when it comes to the problem of users having too simple a password, there’s a painfully simple solution: base the expiration date of a password on how strong it is.
So under this magical new system, all passwords have an expiration date. What is that expiration date? Well, that depends.
If your password is something short and simple, like “dog”, it might be really short. Say 5 seconds. By the time you finish setting it, it’ll be time to change it again. If your password, instead, is 64-characters long and full of lots of special characters, it might be 500 years. Forbid password repetition and you suddenly have a password system that encourages good behavior: do you hate resetting your password? If so, you’d better make it a good one.
The immediate question becomes one of determining how long a password should last. The XKCD comic above provides one way of determining entropy, but it’d probably be exceedingly complicated to write an algorithm to generate that figured that out, based on its reliance on a certain level of entropy. Instead, it might make sense to use the table from Wikipedia’s Password Strength article.
You could analyze the password, determine which category it fell into, therefore determining an entropy-per-character rating for the password. From that point you multiply the entropy-per-character number by the password length, and take two to that power to determine the number of guesses required. This calculation would likely need to be slightly more complicated, because passwords like “password” would be worth almost a day’s-worth of guesses according to that system, but in reality the password “password” would likely be guessed almost immediately.
Still, the basic idea is there: the longer your password, the longer you should get to keep it. I shouldn’t have to reset my randomly-generated 32-character password full of special characters just because some idiot in accounting uses his dog’s name with a number after it as a password.