[unisog] [Fwd: Is the current password std flawed?]

Shane Williams shanew at shanew.net
Fri Feb 25 19:40:58 GMT 2005

On Thu, 24 Feb 2005, Clinton E. Troutman wrote:

> Not true given the following...
> - any character position in a given password may contain a char, a numeric, or 
> a special character which increases the number of possibles for each 
> position, and
> - the length of a given password is unknown, and
> - the number of letters and/or numbers in a particular password is unknown
> Therefore, for each character position in a given password, you will actually 
> increase the number of  possible "characters" choices to be tested thereby 
> increasing the pool of possible passwords and increasing the complexity of 
> the crack.

My intuition is that you would be correct IF passwords were brute
forced character by character rather than all at once.  BUT, that
said, I learned long ago not to trust my intuition when it comes to
combinatorial math.  Given this fact, I think Clinton's suggestion
that CS consult with the Math department is right on.

Of course, as others have recognized, this problem isn't purely
mathematical, so you probably also ought to ask the Cognitive Psych
folks to weigh in.  After all, the real question is how users behave
with and without such constraints.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
All syllogisms contain three lines |              shanew at shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

More information about the unisog mailing list