Benefits and drawbacks of password complexity

From: Russ (rwsinclair@mcpmail.com)
Date: 02/10/03


From: "Russ" <rwsinclair@mcpmail.com>
Date: Mon, 10 Feb 2003 06:54:39 -0800


I'm not sure why you think you need your own passfilt.

Without passfilt, you can do all the things you listed,
although 6 characters could be anything (including, as I
found out in my environment, 123456 or aaaaaa). Passfilt
forces 3 of 4 of upper case, lower case, number, special
character, which makes Password1 valid.

It's a fine line between a strong password that the user
can remember, and one that will be written down, but with
no complexity requirement at all, you're pretty much wide
open. I kind of like the sentence approach suggested by
Peter.

>-----Original Message-----
>My company has +3,000 users. I need to enable password
>policies there. Management wants just 6 characters
>alphanum passwords (and then I have to create my own
>passfilt.dll). I would enforce lockout (3 times),
>password history=11, too.
>
>I thought a 6 characters "password complexity" would be
>stronger. But they came up with the following argument:
>
>"If you have this password complexity and forcing users
>to change it every 6 months, people will have a tendency
>to write the passwords in a piece of paper, because it is
>hard to remember and come up with new difficult passwords
>such as PaSsword10$". What do you think ?
>
>
>.
>