Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Password Security Policy Question
From: Nate Lawson <nate () cryptography com>
Date: Tue, 17 Sep 2002 10:06:56 -0700

At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy.  It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
>
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security.  If not,
> does anyone know how such a misunderstanding might have occurred?
>
> Adrian

This is a bad idea.  Ross Anderson's group did a good study on different
password selection approaches:
http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf
http://www.cl.cam.ac.uk/~jy212/pro-check.pdf

-Nate


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]