[26979] in bugtraq
Re: Password Security Policy Question
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Tue Sep 10 16:58:28 2002
Date: Tue, 10 Sep 2002 20:51:24 +0200 (MEST)
From: Roman Drahtmueller <draht@suse.de>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.21.0209101131110.4471-100000@dt26453.dstsystems.com>
Message-ID: <Pine.LNX.4.44.0209102029360.1985-100000@dent.suse.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
>
> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy. It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
>
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security. If not,
> does anyone know how such a misunderstanding might have occurred?
Theoretically, you are right. The number of possible passwords is smaller
with a limitation to a certain class of characters.
In practice though, it might make sense if you consider psychological
reasons: If a user is allowed to chose a password without any digits, then
she will use a simple word in most cases. Seen from the other side: Making
the passwords a bit more complicated gives you a slightly better
protection against manual brute-forcing.
To have a more satisfactory solution, you could make your system use
cracklib or similar to check the strength of a new password. It will be
bitching at you then.
> Adrian
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
