[unisog] [Fwd: Is the current password std flawed?]

James Riden j.riden at massey.ac.nz
Fri Feb 25 01:39:51 GMT 2005

Russell Fulton <r.fulton at auckland.ac.nz> writes:

> Hmmm.... fro  my manager.  What do you think?
> I'll post my ideas on this tomorrow.
> Russell
> -------- Forwarded Message --------
> From: [snip]
> To: [snip]
> Subject: Is the current password std flawed?
> Date: Fri, 25 Feb 2005 13:42:51 +1300
> As part of my discussion with CS re NetAccount v 2 enhancements we
> looked at the UoA Password Std.
> The following comments were made by CS.
> By asking that all passwords must have a numeric and a special character
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as not
> valid.
> Similarly by not allowing all numerics such as "33892536".

Off the top of my head, I'd say insisting each password has to have a
digit, upper and lower case will increase the average entropy of your

First, there are more passwords with the characteristics you insist on
than the ones without[1]. Second, if you don't insist on these, your
users will pick simple ones anyway.

[1] Say you insist on the three classes [A-Z][a-z][0-9] being
represented. That's 62^8 (~2.18e14) different passwords, less
52^8+36^8+36^8 (5.91e13) which don't have at least one of each class
represented. Which still leaves you 1.59e14 passwords which are OK.

IOW, you've halved the maximum number of combinations, but you should
have increased the average password entropy considerably - assuming
your users are anything like mine.

For system passwords, you can still use a random password generator
and get the full range of options.

James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the unisog mailing list