On 2007-08-15 Thor (Hammer of God) wrote:
On Wednesday, August 15, 2007 11:39 AM Ansgar -59cobalt- Wiechers wrote:
On 2007-08-15 dubaisans dubai wrote:
Is there a way to improve the password complexity requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase, smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on

er? Care to share? ;)

Assume we have four groups of characters:

u = 26 (uppercase letters)
l = 26 (lowercase letters)
d = 10 (digits)
s = k (special characters)

Further assume we have a fixed-lenght password of n characters (for
simplicity). The total number of passwords in this scenario amounts to:

n^(u+l+d+s)

However, if you enforce that the password MUST consist of characters
from each group, you effectively exclude certain passwords from this
total amount:

n^u (passwords consisting of u characters only)
n^l (passwords consisting of l characters only)
n^d (passwords consisting of d characters only)
n^s (passwords consisting of s characters only)
n^(u+l) (passwords consisting of u and l characters only)
n^(u+d) (passwords consisting of u and d characters only)
n^(u+s) (passwords consisting of u and s characters only)
n^(l+d) (passwords consisting of l and d characters only)
n^(l+s) (passwords consisting of l and s characters only)
n^(d+s) (passwords consisting of d and s characters only)
n^(u+l+d) (passwords consisting of u, l and d characters only)
n^(u+l+s) (passwords consisting of u, l and s characters only)
n^(l+d+s) (passwords consisting of l, d and s characters only)

Thus the total amount of passwords in a scenario where the password must
consist of characters from each group would be reduced to:

n^(u+l+d+s) - n^u - n^l - n^d - n^s - n^(u+l) - n^(u+d) - n^(u+s)
- n^(l+d) - n^(l+s) - n^(d+s) - n^(u+l+d) - n^(u+l+s) - n^(l+d+s)

I suppose you'll agree that this *is* a significant decrease in the
number of potential password, which an attacker may use to his own