Ansgar, While there is a loss in the number of possible passwords, the main purpose behind password complexity filters is that it FORCES the user to create a complex password. Even with all the password education out there today, there are still a great deal of lazy users who would use "password" if allowed.
As you pointed out, a user could still choose "[EMAIL PROTECTED]," but that is still a step above the plaintext version. You used 3 different ways to represent the character "a." Just in that example alone, you went from requiring a basic dictionary attack (O of 1) to a non-polynomial (combinations) attack. Multiply all the possible 1337 variations across the dictionary, and it is substantially more difficult to crack. User education is key to a strong password policy, but forcing users to create complex passwords is a good place to start. Regards, Jonathan PS - NP Complete problems (those involving combinations) are considered among the hardest in math. There is a $1 million dollar reward if anyone can solve them in polynomial time. Any takers? http://www.claymath.org/millennium/P_vs_NP/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Thursday, August 16, 2007 2:08 PM To: [email protected] Subject: Re: Password complexity - improvement Bruce, On 2007-08-16 Bruce K. Marshall wrote: > Requiring users to create a password of uppercase, lowercase, numbers, > and symbols encourages stronger passwords, not weaker ones. The loss > of possible password choices is negligible and has no negative impacts > other than on the usability of the passwords themselves. I'll be > happy to share the math backing this up if you really want to argue > the point. I do not agree that the loss of possible passwords is necessarily negligible. I'd like to see the math to back up this assumption. And in any case the decrease of the total amount of possible passwords does by definition mean you have a negative impact on security. The impact may indeed be negligible, but you still need to be aware of the fact to make the distinction. Besides, even complexity requirements can't replace user education. A password like "[EMAIL PROTECTED]" would be compliant to the policy in question and still susceptible to dictionary attacks. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
