Ansgar,

I see what you are saying now... You are "wrong"... Mathematically... You are correct practically... But you are only correct if the attacker _knows_ that the enforced policy contains all four character sets. If he doesn't then he is faced with the full mathematically calculated recordset to attack. If he knows that the policy requires all four sets then he can remove all password attempts that don't contain all four sets from his "repertoire". In this case you are correct... I would suggest that this makes you more vulnerable to "local" attacks where the attacker is familiar with the network or a determined attacker that might use social engineering to ascertain the policy beforehand but for "casual" attackers you remain better off with the four set policy.

Understanding the threat, maybe MS were smart when they didn't allow all four character set enforcement out of the box.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] on behalf of Ansgar -59cobalt- Wiechers
Sent: Wed 8/15/2007 2:39 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Cc:
Subject: Re: Password complexity - improvement

On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity requirements in
> Windows 2000/2003 servers
>
> The default will enforce 3 of the following 4 properties - Uppercase,
> smallercase, numbers, special-characters.
>
> Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on your
security.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]