Bugtraq mailing list archives
Re: Password Security Policy Question
From: Nate Lawson <nate () cryptography com>
Date: Tue, 17 Sep 2002 10:06:56 -0700
At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote: > I am aware of a company that has instituted a policy that limits a > specific character in people's passwords to being a numeric character. > Personally, I am confused at this policy. It seems to me that > placing such a specific limit on a specific position in a password > simply reduces the number of guesses that someone would have to try > in a brute force attack. > > Does anyone out there know if there is any theoretical basis for > believing that a policy to limit a specific character position > in passwords to a numeric character will enhance security. If not, > does anyone know how such a misunderstanding might have occurred? > > Adrian This is a bad idea. Ross Anderson's group did a good study on different password selection approaches: http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf http://www.cl.cam.ac.uk/~jy212/pro-check.pdf -Nate
Current thread:
- Password Security Policy Question L. Adrian Griffis (Sep 10)
- Re: Password Security Policy Question Roman Drahtmueller (Sep 10)
- Re: Password Security Policy Question Greg A. Woods (Sep 13)
- Re: Password Security Policy Question bugtraq (Sep 10)
- <Possible follow-ups>
- Re: Password Security Policy Question Nate Lawson (Sep 17)
- Re: Password Security Policy Question Crispin Cowan (Sep 18)
- Re: Password Security Policy Question Roman Drahtmueller (Sep 10)