Actually, mathematically he's correct, assuming a maximum password size.
For the sake of illustration, let's say I have a maximum password size of 10
characters. Let's also say I have 8 possible symbol characters (I'm picking 8
just because I don't know how many legal symbols there are and it rounds the
numbers off). For any password, I have to have at least one character from all
four of the following sets:
Uppercase letters (26)
Lowercase letters (26)
Numbers (10)
Symbols (8)
The choice of character for at least four of my ten possible positions is
circumscribed, while the other six characters can be from any of the four sets.
26 x 26 x 10 x 8 x 70 x 70 x 70 x 70 x 70 x 70 = 6,362,457,920,000,000
If I didn't have any complexity requirements at all, I'd be able to choose from
any of the four sets for all 10 characters:
70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 = 2,824,752,490,000,000,000
That's pretty clearly a reduction in possible passwords of several orders of
magnitude.
HOWEVER -- and this is a big however -- the original poster is suffering from a
logic error (this is what happens when pure mathematics are untempered by a bit
of common sense). The problem is *not* "how big of a password pool do I have"
but rather "how big of a password search pool do I need to make the attacker
have"?
In this case, both the "3 of 4" and "4 of 4" requirements produce exactly the
same size of pool, precisely because the attacker *doesn't* know which
positions will be chosen from which character set -- they have to assume that
any position could be any possible character. Furthermore, by knowing that the
system requires all four character sets, the attacker *cannot* take a shortcut
by relying on the fact that most people are lazy when it comes to password and
will do the bare minimum required of them, and remove one of the character sets
from their search space -- doing so will not gain them a legitimate password.
(How many users in a "3 of 4" setting actually bother to use all four sets?)
Finally, one of the assumptions I postulated to show the math doesn't meet the
real world either -- if I want a stronger password, I just choose a longer one.
The theoretical maximum length for passwords is truly outrageous, so a paranoid
admin can bump up the minimum password length and offset any potential
"weakness" imposed by requiring all four character sets to be present.
In short, the OP is looking at the math from the wrong side of things.
--
Devin L. Ganger, Exchange MVP Email: deving@3sharp.com
3Sharp LLC Phone: 425.882.1032 x1011
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Thor (Hammer of God)
Sent: Thursday, August 16, 2007 9:33 AM
To: focus-ms@securityfocus.com
Subject: RE: Password complexity - improvement
Just to follow up, this is incorrect. More possible source characters ==
more possible combinations. Can you elaborate on what you mean by this?
t
Is there a way to enforce all 4 properties.
Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on your
security.
