[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Password Security Policy Question
At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis wrote:
> I am aware of a company that has instituted a policy that limits a
> specific character in people's passwords to being a numeric character.
> Personally, I am confused at this policy. It seems to me that
> placing such a specific limit on a specific position in a password
> simply reduces the number of guesses that someone would have to try
> in a brute force attack.
> Does anyone out there know if there is any theoretical basis for
> believing that a policy to limit a specific character position
> in passwords to a numeric character will enhance security. If not,
> does anyone know how such a misunderstanding might have occurred?
This is a bad idea. Ross Anderson's group did a good study on different
password selection approaches: