Re: Password Security Policy Question

From: Nate Lawson (nateat_private)
Date: Tue Sep 17 2002 - 10:06:56 PDT

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session hold counts"

Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-010: symlink race in pppd"
Maybe in reply to: L. Adrian Griffis: "Password Security Policy Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
 > I am aware of a company that has instituted a policy that limits a
 > specific character in people's passwords to being a numeric character.
 > Personally, I am confused at this policy.  It seems to me that
 > placing such a specific limit on a specific position in a password
 > simply reduces the number of guesses that someone would have to try
 > in a brute force attack.
 >
 > Does anyone out there know if there is any theoretical basis for
 > believing that a policy to limit a specific character position
 > in passwords to a numeric character will enhance security.  If not,
 > does anyone know how such a misunderstanding might have occurred?
 >
 > Adrian

This is a bad idea.  Ross Anderson's group did a good study on different
password selection approaches:
http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf
http://www.cl.cam.ac.uk/~jy212/pro-check.pdf

-Nate

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session hold counts"
Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-010: symlink race in pppd"
Maybe in reply to: L. Adrian Griffis: "Password Security Policy Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 19:07:14 PDT