[unisog] [Fwd: Is the current password std flawed?]

Michael Holstein michael.holstein at csuohio.edu
Fri Feb 25 14:48:09 GMT 2005

> By asking that all passwords must have a numeric and a special character
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as not
> valid.

Mathematically speaking, he/she's correct. But the "brute force" mode is 
seldom actually required to get at least one halfway-useful password. In 
my experience doing (legitimate) password audits, I get better than half 
during the dictionary or hybrid phase (with common substitutions turned 
on). In all cases, this has included at least one admin or service account.

Therefore, I'd say that enforcing some degree of complexity (without 
being overly specific like saying a number must occupy a particular 
character position) is better than letting users pick their own 
passwords (we all know the dog's name, kid's birthday, etc. will be 
their first choice if left to their devices).

However, the enforced degree of complexity is directly proportional to 
the probability you'll find the password on a post-it under the 
keyboard, admins not excepted.

Furthermore, users are quite adept at devising passwords that meet our 
(IT) requirements but are still really easy. You require 8 characters 
with 3/4 types, they'll pick 'M1chael' (my name) instead of the simple 
'michael'. Any cracker would get that in a few seconds.

If you want really secure passwords, the idea has always been to use 
multifactor involving a token or biometric.

My $0.02.

Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list