Sorry for the wordy post, but bear with me... I have to say that I've really enjoyed the trip down memory lane of combinations and permutations; perhaps the third thing from my A level maths class that I've had to use in "real life" (the other two were simultaneous and quadratic equations!).
However, I think we've drifted off the point here - that being the construction of a strong password. Dubaisans original question concerned increasing the complexity of passwords by enforcing all 4 of the properties of uppercase, lowercase, numbers and special-characters/punctuation. Sorry Ansgar -59cobalt- Wiechers, your maths is upside down; in your example, try a password length of 3 and total characters of 2 - you should get 8 possible passwords, but your formula gives 9. You can prove the formula simply by counting in binary from 000 to 007, which would be a password length of 3 using only 2 characters. The total possible number of passwords for a given password length is therefore: C^N Where C is the number of characters a password can be made up of and N is the length of the password. So as an example lets try a password length of 3 and only lower case characters. The total possible number of passwords to be tried is: 26^3 = 17576 A big number to be sure, but a fast password cracker does 300,000+ tries a second, so that password is toast in under a second. Going with both cases and numbers, the total possible number of password is: (26+26+10)^3 = 238328 A bigger number, but still toast in under a second. Ok, how about a 4 digit password with the same parameters: (26+26+10)^4 = 14776336 That one lasted 49 seconds. Still rubbish but it's pretty clear that the strength of the password is much more strongly related to it's length than to the number of characters used. Now, the industry standard - both cases and numbers and 8 digits: (26+26+10)^8 = 2.183 * (10^14) A nice big number, and plenty big enough to make all but the most worthwhile password too hard for the bruteforce cracker - provided of course that the bruteforce cracker had to be tried because the dictionary attack failed! All this is entirely irrelevant however as the same GPO provides the ability to lock a password out. I recommend no less than 5 tries and no more than 5 minutes of lockout time - so long as you're logging it. This will insert a 5 minute break into the cracking process after every fifth try and even the 3 digit password will be safe when you can only average one try per minute. This protects your domain based passwords (without irritating your users), but you are still vulnerable if somehow the bad guys get a copy of your hashes. Thus, we return to the length of the password and common sense rules: Enforce >=8 digits on your domain users and >=10 on your local machine users (see my last post on how to) and be happy with mixed case letters and numbers alone. If you need really good passwords, go to passphrases of >=15 digits for everything. Thanks for reading it all, I hope it makes sense. Cheers James James D. Stallard, MIoD Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devin Ganger Sent: 16 August 2007 19:50 To: Thor (Hammer of God); [email protected] Subject: RE: Password complexity - improvement Actually, mathematically he's correct, assuming a maximum password size. For the sake of illustration, let's say I have a maximum password size of 10 characters. Let's also say I have 8 possible symbol characters (I'm picking 8 just because I don't know how many legal symbols there are and it rounds the numbers off). For any password, I have to have at least one character from all four of the following sets: Uppercase letters (26) Lowercase letters (26) Numbers (10) Symbols (8) The choice of character for at least four of my ten possible positions is circumscribed, while the other six characters can be from any of the four sets. 26 x 26 x 10 x 8 x 70 x 70 x 70 x 70 x 70 x 70 = 6,362,457,920,000,000 If I didn't have any complexity requirements at all, I'd be able to choose from any of the four sets for all 10 characters: 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 = 2,824,752,490,000,000,000 That's pretty clearly a reduction in possible passwords of several orders of magnitude. HOWEVER -- and this is a big however -- the original poster is suffering from a logic error (this is what happens when pure mathematics are untempered by a bit of common sense). The problem is *not* "how big of a password pool do I have" but rather "how big of a password search pool do I need to make the attacker have"? In this case, both the "3 of 4" and "4 of 4" requirements produce exactly the same size of pool, precisely because the attacker *doesn't* know which positions will be chosen from which character set -- they have to assume that any position could be any possible character. Furthermore, by knowing that the system requires all four character sets, the attacker *cannot* take a shortcut by relying on the fact that most people are lazy when it comes to password and will do the bare minimum required of them, and remove one of the character sets from their search space -- doing so will not gain them a legitimate password. (How many users in a "3 of 4" setting actually bother to use all four sets?) Finally, one of the assumptions I postulated to show the math doesn't meet the real world either -- if I want a stronger password, I just choose a longer one. The theoretical maximum length for passwords is truly outrageous, so a paranoid admin can bump up the minimum password length and offset any potential "weakness" imposed by requiring all four character sets to be present. In short, the OP is looking at the math from the wrong side of things. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 x1011 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: Thursday, August 16, 2007 9:33 AM To: [email protected] Subject: RE: Password complexity - improvement Just to follow up, this is incorrect. More possible source characters == more possible combinations. Can you elaborate on what you mean by this? t > > > > Is there a way to enforce all 4 properties. > > Enforcing passwords that MUST consist of uppercase letters, lowercase > letters, numbers AND special characters reduces the total number of > possible passwords, which in consequence has a negative impact on your > security.
