Re: Password Security Policy Question

[Roman Drahtmueller <draht () suse de>]

> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy.  It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
>
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security.  If not,
> does anyone know how such a misunderstanding might have occurred?

Theoretically, you are right. The number of possible passwords is smaller
with a limitation to a certain class of characters.
In practice though, it might make sense if you consider psychological
reasons: If a user is allowed to chose a password without any digits, then
she will use a simple word in most cases. Seen from the other side: Making
the passwords a bit more complicated gives you a slightly better
protection against manual brute-forcing.
To have a more satisfactory solution, you could make your system use
cracklib or similar to check the strength of a new password. It will be
bitching at you then.

> Adrian

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SuSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -