Re: AD and enforced password policies

[Steven Bellovin <smb () cs columbia edu>]

On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote:

> > I just went through some calculations for a (government) site that has the
> > following rules:
> [...]
> > Under the plausible assumption that very many people will start with a string
> > of digits, continue with a string of lower-case letters to reach seven characters,
> > and then add a period, there are only ~5,000,000,000 choices.  That's not many at
> > all -- but the rules look just fine...
>
> 1234;lkj rolls off the fingers quite nicely, don't you think?
OK -- let's let the set of punctuation be .,; and allow seven choices for where
it goes.  That increases the work factor by 21 -- still not that large a space
for someone with a good botnet. 

The real question is what you're trying to protect.  If the attacker's goal is
to get *some* password, then I think he or she will get succeed, because
I think that very many people will follow my assumed pattern -- enough that
the attacker has a good chance of winning.  Sure, some people will pick stronger
ones -- but that isn't the point of the exercise.  Passwords and password rules
are the *enemy* to most people.

                --Steve Bellovin, https://www.cs.columbia.edu/~smb