Bugtraq mailing list archives
Re: Password Security Policy Question
From: Roman Drahtmueller <draht () suse de>
Date: Tue, 10 Sep 2002 20:51:24 +0200 (MEST)
I am aware of a company that has instituted a policy that limits a specific character in people's passwords to being a numeric character. Personally, I am confused at this policy. It seems to me that placing such a specific limit on a specific position in a password simply reduces the number of guesses that someone would have to try in a brute force attack. Does anyone out there know if there is any theoretical basis for believing that a policy to limit a specific character position in passwords to a numeric character will enhance security. If not, does anyone know how such a misunderstanding might have occurred?
Theoretically, you are right. The number of possible passwords is smaller with a limitation to a certain class of characters. In practice though, it might make sense if you consider psychological reasons: If a user is allowed to chose a password without any digits, then she will use a simple word in most cases. Seen from the other side: Making the passwords a bit more complicated gives you a slightly better protection against manual brute-forcing. To have a more satisfactory solution, you could make your system use cracklib or similar to check the strength of a new password. It will be bitching at you then.
Adrian
Roman. -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Current thread:
- Password Security Policy Question L. Adrian Griffis (Sep 10)
- Re: Password Security Policy Question Roman Drahtmueller (Sep 10)
- Re: Password Security Policy Question Greg A. Woods (Sep 13)
- Re: Password Security Policy Question bugtraq (Sep 10)
- <Possible follow-ups>
- Re: Password Security Policy Question Nate Lawson (Sep 17)
- Re: Password Security Policy Question Crispin Cowan (Sep 18)
- Re: Password Security Policy Question Roman Drahtmueller (Sep 10)