Re: Password complexity - improvement

On 2007-08-16 Jonathan Kazmierczyk wrote:
While there is a loss in the number of possible passwords, the main
purpose behind password complexity filters is that it FORCES the user
to create a complex password. Even with all the password education
out there today, there are still a great deal of lazy users who would
use "password" if allowed.

As you pointed out, a user could still choose "b@n4na," but that is
still a step above the plaintext version. You used 3 different ways
to represent the character "a." Just in that example alone, you went
from requiring a basic dictionary attack (O of 1) to a non-polynomial
(combinations) attack. Multiply all the possible 1337 variations
across the dictionary, and it is substantially more difficult to
crack.

Of course. However, even this increased effort is still a *lot* less
than having to brute-force a password, because it can still be covered
by a dictionary, especially if you don't enforce password length (or
enforce insufficient password length).

User education is key to a strong password policy, but forcing users
to create complex passwords is a good place to start.

I'm not saying that enforcing complexity requirements is a bad thing. It
just isn't a silver bullet, and I'm pointing out possible problems of
this requirement so the OP can take them into consideration when making
his decision.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq