On 2007-08-16 Thor (Hammer of God) wrote: > Ah.... NOW I see what you mean... As in, if you required all 4 > complexity requirements, and you knew the first three characters were > Aa1, then you'd know for a fact that the last character had to be a > "special" character...
Not exactly. By requiring characters from all 4 groups to be present in the password you reduce the number of passwords attacker must brute- force (because he can skip certain passwords now). How much that will gain him effectively depends on the length of the passwords and the number of special characters. I agree that for passwords of reasonable length and with an adequate number of special characters the loss will indeed be negligible, but I still think you need to take this effect into consideration before implementing a policy like that. > Only problem with that is that a BF attack does not give us one > character at a time. You have to "crack" the hash in singularity... I am aware of that. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
