[27058] in bugtraq
Re: Password Security Policy Question
daemon@ATHENA.MIT.EDU (Nate Lawson)
Tue Sep 17 22:05:11 2002
Message-Id: <5.1.1.6.2.20020917100223.00aa3958@cryptography.securesites.com>
Date: Tue, 17 Sep 2002 10:06:56 -0700
To: bugtraq@securityfocus.com
From: Nate Lawson <nate@cryptography.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy. It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
>
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security. If not,
> does anyone know how such a misunderstanding might have occurred?
>
> Adrian
This is a bad idea. Ross Anderson's group did a good study on different
password selection approaches:
http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf
http://www.cl.cam.ac.uk/~jy212/pro-check.pdf
-Nate
