On 2/13/2007 12:30 PM, Hal Merritt wrote:
Other than there is not one shred of evidence to suggest this makes for
stronger security? And ample experiences of increased help desk calls
that actually lead to weakened security? And complex passwords generate
sticky notes?
Mixed-case does not necessarily mean the password will seem more complex
to the user. That kind of complexity is really a function of the rules
that the security administrator tries to impose. If you tell me I can
use mixed-case, but do not restrict where I put the characters, then I
can, for example, use two words with initial or trailing caps, and other
letters lower-case. That is then more complex for a brute-force
password cracker, but no more complex for me as a user.
Only auditors think that this adds value. Those with actual knowledge
think otherwise.
I believe that allowing mixed-case does increase security, as it makes
the number of possible passwords of any given length much greater, and
increases the amount of time needed for brute-force password guessing.
However, whether you have mixed-case or not, the administrator can
compromise security by making the password rules too restrictive.
But wait. There is more. Not all applications that actually interact
with the keyboard will get this right. Some might pass the password as
is, but some may translate it to upper case first. And then there are
the character translation issues.
The character translation issues should not apply; we're only talking
mixed-case A-Z, a-z, not allowing additional characters with variant
mappings depending on code page.
You're right, though, that all the applications that are passing the
password along need to know to leave it as the user entered it. That
makes migrating to mixed-case passwords harder than it would have been
if we'd made the security product do the upper-casing of the input many
years ago.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
