[26978] in bugtraq
Password Security Policy Question
daemon@ATHENA.MIT.EDU (L. Adrian Griffis)
Tue Sep 10 14:15:33 2002
Date: Tue, 10 Sep 2002 11:36:26 -0500 (CDT)
From: "L. Adrian Griffis" <dt26453@dstsystems.com>
Reply-To: Adrian Griffis <agriffis@dstsystems.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0209101131110.4471-100000@dt26453.dstsystems.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I am aware of a company that has instituted a policy that limits a
specific character in people's passwords to being a numeric character.
Personally, I am confused at this policy. It seems to me that
placing such a specific limit on a specific position in a password
simply reduces the number of guesses that someone would have to try
in a brute force attack.
Does anyone out there know if there is any theoretical basis for
believing that a policy to limit a specific character position
in passwords to a numeric character will enhance security. If not,
does anyone know how such a misunderstanding might have occurred?
Adrian
