Don't confuse password strength with the number of passwords available. Ansgar is correct with the math permutations. Any limitation reduces your population set to fewer possible passwords, weak or not.
~Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson, Eric R IT3 (CVN75 CS-3) Sent: Wednesday, August 15, 2007 4:46 PM To: Ansgar -59cobalt- Wiechers Cc: [email protected] Subject: RE: Password complexity - improvement Ansgar, You're absolutely wrong in your statement here. Enforcing passwords that MUST consist of uppercase letters, lowercase letter, numbers AND special characters INCREASES the total number of possible passwords; which in turn has a positive impact on your security. It is much harder to break a password of AaBb1! than aabb1! The more options there are that are enforced, the more complex the passwords. The determining factor in this case would be how long or short the password lengths are. R/ Jackson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Wednesday, August 15, 2007 2:39 PM To: [email protected] Subject: Re: Password complexity - improvement On 2007-08-15 dubaisans dubai wrote: > Is there a way to improve the password complexity requirements in > Windows 2000/2003 servers > > The default will enforce 3 of the following 4 properties - Uppercase, > smallercase, numbers, special-characters. > > Is there a way to enforce all 4 properties. Enforcing passwords that MUST consist of uppercase letters, lowercase letters, numbers AND special characters reduces the total number of possible passwords, which in consequence has a negative impact on your security. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq -------------------------------------------------------------------- "*** NOTICE *** The information in this communication and any attachment may contain confidential and proprietary information of Security Connections, Inc. and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance, duplication or distribution without express permission is strictly prohibited and may cause liability. If you have received this communication in error, please notify the sender immediately by reply email and delete or destroy all copies of this communication and any attachments. Any views expressed in this communication are those of the individual sender, except where authorized and explicitly stated otherwise."
