[unisog] [Fwd: Is the current password std flawed?]

Clinton E. Troutman troutman at mesh.net
Fri Feb 25 02:30:29 GMT 2005


On Thursday 24 February 2005 06:55 pm, Russell Fulton wrote:
> Hmmm.... fro  my manager.  What do you think?
>
> I'll post my ideas on this tomorrow.
>
> Russell
>
> -------- Forwarded Message --------
> From: Stephen Taylor (ITSS) <stay091 at vxchange.vcr.auckland.ac.nz>
> To: Russell Fulton <rful011 at vxchange.vcr.auckland.ac.nz>, Bojan Zdrnja
> <b.zdrnja at auckland.ac.nz>
> Subject: Is the current password std flawed?
> Date: Fri, 25 Feb 2005 13:42:51 +1300
> As part of my discussion with CS re NetAccount v 2 enhancements we
> looked at the UoA Password Std.
>
> The following comments were made by CS.
>
> By asking that all passwords must have a numeric and a special character
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as not
> valid.
>
> Similarly by not allowing all numerics such as "33892536".
>
> Thoughts?
>
> Steve

Not true given the following...
- any character position in a given password may contain a char, a numeric, or 
a special character which increases the number of possibles for each 
position, and
- the length of a given password is unknown, and
- the number of letters and/or numbers in a particular password is unknown
Therefore, for each character position in a given password, you will actually 
increase the number of  possible "characters" choices to be tested thereby 
increasing the pool of possible passwords and increasing the complexity of 
the crack.

CS's statement would be correct if:
- it is known that a particular character position in any particular password 
*must* contain *only* a numeric, or
- it is known that a particular character position in any particular password 
*must* contain *only* a special character (that can be entered at the 
keyboard), or
- both of the above

Have CS check their statement with the Math Dept...

-- 
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home
  and Home Office in Fort Worth, Texas
http://cetro.sytes.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050224/e43d0839/attachment.bin


More information about the unisog mailing list