Re: Password complexity - improvement



On 2007-08-15 Thor (Hammer of God) wrote:
On Wednesday, August 15, 2007 11:39 AM Ansgar -59cobalt- Wiechers wrote:
On 2007-08-15 dubaisans dubai wrote:
Is there a way to improve the password complexity requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase, smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on
your security.

er? Care to share? ;)

Assume we have four groups of characters:

u = 26 (uppercase letters)
l = 26 (lowercase letters)
d = 10 (digits)
s = k (special characters)

Further assume we have a fixed-lenght password of n characters (for
simplicity). The total number of passwords in this scenario amounts to:

n^(u+l+d+s)

However, if you enforce that the password MUST consist of characters
from each group, you effectively exclude certain passwords from this
total amount:

n^u (passwords consisting of u characters only)
n^l (passwords consisting of l characters only)
n^d (passwords consisting of d characters only)
n^s (passwords consisting of s characters only)
n^(u+l) (passwords consisting of u and l characters only)
n^(u+d) (passwords consisting of u and d characters only)
n^(u+s) (passwords consisting of u and s characters only)
n^(l+d) (passwords consisting of l and d characters only)
n^(l+s) (passwords consisting of l and s characters only)
n^(d+s) (passwords consisting of d and s characters only)
n^(u+l+d) (passwords consisting of u, l and d characters only)
n^(u+l+s) (passwords consisting of u, l and s characters only)
n^(l+d+s) (passwords consisting of l, d and s characters only)

Thus the total amount of passwords in a scenario where the password must
consist of characters from each group would be reduced to:

n^(u+l+d+s) - n^u - n^l - n^d - n^s - n^(u+l) - n^(u+d) - n^(u+s)
- n^(l+d) - n^(l+s) - n^(d+s) - n^(u+l+d) - n^(u+l+s) - n^(l+d+s)

I suppose you'll agree that this *is* a significant decrease in the
number of potential password, which an attacker may use to his own
advantage, e.g. when bruteforcing passwords.

How serious the impact turns out to be is another story, but that
doesn't make it go away.

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html