[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    Re: Password complexity - improvement
From:       "Chris Barber" <cmbarber () gmail ! com>
Date:       2007-08-24 21:53:03
Message-ID: b5c8f6f70708241453v6c03e54apa58c53f51508bab1 () mail ! gmail ! com
[Download RAW message or body]

You may have reduced the number of usable character combinations in a
fixed character password.  But if I simply add the requirement of
having all 4 character types and leave the upper limit open, I have
just increased the keyspace astronomically.

Example
with password length fixed at 7 characters here are some numbers to look at:
Lower case only password has a keyspace of    8,031,810,176
Upper & lower case keyspace =                 1,028,071,702,528
Upper, lower case &  numbers =                 3,521,614,606,208
Upper, lower, number & Special =             75,144,747,810,816

for a 10 Character password
Lower case only password has a keyspace of  141,167,095,653,376
Upper & lower case keyspace =               144,555,105,949,057,000
Upper, lower case &  numbers =               839,299,365,868,340,000
Upper, lower, number & Special =        66,483,263,599,150,100,000

So, I do not agree that it is a negative impact on security.
Chris.




On 8/15/07, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net> wrote:
> On 2007-08-15 dubaisans dubai wrote:
> > Is there a way to improve the password complexity requirements in
> > Windows 2000/2003 servers
> >
> > The default will enforce 3 of the following 4 properties - Uppercase,
> > smallercase, numbers, special-characters.
> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase letters, lowercase
> letters, numbers AND special characters reduces the total number of
> possible passwords, which in consequence has a negative impact on your
> security.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>
[prev in list] [next in list] [prev in thread] [next in thread]