You may have reduced the number of usable character combinations in a
fixed character password. But if I simply add the requirement of
having all 4 character types and leave the upper limit open, I have
just increased the keyspace astronomically.

Example
with password length fixed at 7 characters here are some numbers to look at:
Lower case only password has a keyspace of 8,031,810,176
Upper & lower case keyspace = 1,028,071,702,528
Upper, lower case & numbers = 3,521,614,606,208
Upper, lower, number & Special = 75,144,747,810,816

for a 10 Character password
Lower case only password has a keyspace of 141,167,095,653,376
Upper & lower case keyspace = 144,555,105,949,057,000
Upper, lower case & numbers = 839,299,365,868,340,000
Upper, lower, number & Special = 66,483,263,599,150,100,000

So, I do not agree that it is a negative impact on security.
Chris.

On 8/15/07, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
> On 2007-08-15 dubaisans dubai wrote:
> > Is there a way to improve the password complexity requirements in
> > Windows 2000/2003 servers
> >
> > The default will enforce 3 of the following 4 properties - Uppercase,
> > smallercase, numbers, special-characters.
> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase letters, lowercase
> letters, numbers AND special characters reduces the total number of
> possible passwords, which in consequence has a negative impact on your
> security.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>

[ reply ]