On 2007-08-16 Jonathan Kazmierczyk wrote: > While there is a loss in the number of possible passwords, the main > purpose behind password complexity filters is that it FORCES the user > to create a complex password. Even with all the password education > out there today, there are still a great deal of lazy users who would > use "password" if allowed. > > As you pointed out, a user could still choose "[EMAIL PROTECTED]," but that is > still a step above the plaintext version. You used 3 different ways > to represent the character "a." Just in that example alone, you went > from requiring a basic dictionary attack (O of 1) to a non-polynomial > (combinations) attack. Multiply all the possible 1337 variations > across the dictionary, and it is substantially more difficult to > crack.
Of course. However, even this increased effort is still a *lot* less than having to brute-force a password, because it can still be covered by a dictionary, especially if you don't enforce password length (or enforce insufficient password length). > User education is key to a strong password policy, but forcing users > to create complex passwords is a good place to start. I'm not saying that enforcing complexity requirements is a bad thing. It just isn't a silver bullet, and I'm pointing out possible problems of this requirement so the OP can take them into consideration when making his decision. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
