Bugtraq mailing list archives

Re: Password Security Policy Question

From: bugtraq () applied-knowledge net
Date: Tue, 10 Sep 2002 14:57:15 -0400 (EDT)

There are a couple of issues to consider here.  Mathematically, it is a
weaker password because you limit yourself to ten possible characters as
one of the characters in the password string and it's a simple
combinatorics exercise to figure it out.

For example, if we limit ourselves to printing ASCII characters (94 of
them if I counted correctly) as the set of all possible password characters
and assume the use of an eight character password we have 6095689385410816
possible combinations (94^8.  If we limit one character of the password
string
to be a numeral though, we only have 648477594192640 possible
combinations.  By not limiting one character to being a numeral you
achieve 9.4 times the number of possible combinations.

Added to this are your other concerns.  If one particular position in the
string is required to be the numeral then there will be less guess work
involved as opposed to at least one position (any position) being a
numeral.  For that matter, the number of possible password combinations
goes down even more dramatically if you only allow one position to be a
numeral (295090346557440 combinations).  Remove non alpha-numerics and it
is further reduced.  You see where this is going.

A softer side to this is that users will often increment the numeral
making it fairly easy for an attacker to guess.  Or maybe the numeral
corresponding to the calendar month is always used.  So on and so forth

Chris

On Tue, 10 Sep 2002, L. Adrian Griffis wrote:


I am aware of a company that has instituted a policy that limits a
specific character in people's passwords to being a numeric character.
Personally, I am confused at this policy.  It seems to me that
placing such a specific limit on a specific position in a password
simply reduces the number of guesses that someone would have to try
in a brute force attack.

Does anyone out there know if there is any theoretical basis for
believing that a policy to limit a specific character position
in passwords to a numeric character will enhance security.  If not,
does anyone know how such a misunderstanding might have occurred?

Adrian

Current thread:

Password Security Policy Question L. Adrian Griffis (Sep 10)
- Re: Password Security Policy Question Roman Drahtmueller (Sep 10)
  - Re: Password Security Policy Question Greg A. Woods (Sep 13)
- Re: Password Security Policy Question bugtraq (Sep 10)
- <Possible follow-ups>
- Re: Password Security Policy Question Nate Lawson (Sep 17)
  - Re: Password Security Policy Question Crispin Cowan (Sep 18)