Actually, mathematically he's correct, assuming a maximum password size.

For the sake of illustration, let's say I have a maximum password size of 10 characters. Let's also say I have 8 possible symbol characters (I'm picking 8 just because I don't know how many legal symbols there are and it rounds the numbers off). For any password, I have to have at least one character from all four of the following sets:

Uppercase letters (26)
Lowercase letters (26)
Numbers (10)
Symbols (8)

The choice of character for at least four of my ten possible positions is circumscribed, while the other six characters can be from any of the four sets.

26 x 26 x 10 x 8 x 70 x 70 x 70 x 70 x 70 x 70 = 6,362,457,920,000,000

If I didn't have any complexity requirements at all, I'd be able to choose from any of the four sets for all 10 characters:

70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 = 2,824,752,490,000,000,000

That's pretty clearly a reduction in possible passwords of several orders of magnitude.

HOWEVER -- and this is a big however -- the original poster is suffering from a logic error (this is what happens when pure mathematics are untempered by a bit of common sense). The problem is *not* "how big of a password pool do I have" but rather "how big of a password search pool do I need to make the attacker have"?

In this case, both the "3 of 4" and "4 of 4" requirements produce exactly the same size of pool, precisely because the attacker *doesn't* know which positions will be chosen from which character set -- they have to assume that any position could be any possible character. Furthermore, by knowing that the system requires all four character sets, the attacker *cannot* take a shortcut by relying on the fact that most people are lazy when it comes to password and will do the bare minimum required of them, and remove one of the character sets from their search space -- doing so will not gain them a legitimate password. (How many users in a "3 of 4" setting actually bother to use all four sets?)

Finally, one of the assumptions I postulated to show the math doesn't meet the real world either -- if I want a stronger password, I just choose a longer one. The theoretical maximum length for passwords is truly outrageous, so a paranoid admin can bump up the minimum password length and offset any potential "weakness" imposed by requiring all four character sets to be present.

In short, the OP is looking at the math from the wrong side of things.

--
Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp LLC Phone: 425.882.1032 x1011
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Thor (Hammer of God)
Sent: Thursday, August 16, 2007 9:33 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Password complexity - improvement

Just to follow up, this is incorrect. More possible source characters ==
more possible combinations. Can you elaborate on what you mean by this?

t

> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase letters, lowercase
> letters, numbers AND special characters reduces the total number of
> possible passwords, which in consequence has a negative impact on your
> security.

[ reply ]