mailing list archives
Re: Password Security Policy Question
From: Nate Lawson <nate () cryptography com>
Date: Tue, 17 Sep 2002 10:06:56 -0700
At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy. It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security. If not,
> does anyone know how such a misunderstanding might have occurred?
This is a bad idea. Ross Anderson's group did a good study on different
password selection approaches: