Bruce, On 2007-08-16 Bruce K. Marshall wrote: > Requiring users to create a password of uppercase, lowercase, numbers, > and symbols encourages stronger passwords, not weaker ones. The loss > of possible password choices is negligible and has no negative impacts > other than on the usability of the passwords themselves. I'll be > happy to share the math backing this up if you really want to argue > the point.
I do not agree that the loss of possible passwords is necessarily negligible. I'd like to see the math to back up this assumption. And in any case the decrease of the total amount of possible passwords does by definition mean you have a negative impact on security. The impact may indeed be negligible, but you still need to be aware of the fact to make the distinction. Besides, even complexity requirements can't replace user education. A password like "[EMAIL PROTECTED]" would be compliant to the policy in question and still susceptible to dictionary attacks. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
