Ansgar,
I see what you are saying now... You are "wrong"... Mathematically... You are
correct practically... But you are only correct if the attacker _knows_ that
the enforced policy contains all four character sets. If he doesn't then he is
faced with the full mathematically calculated recordset to attack. If he knows
that the policy requires all four sets then he can remove all password attempts
that don't contain all four sets from his "repertoire". In this case you are
correct... I would suggest that this makes you more vulnerable to "local"
attacks where the attacker is familiar with the network or a determined
attacker that might use social engineering to ascertain the policy beforehand
but for "casual" attackers you remain better off with the four set policy.
Understanding the threat, maybe MS were smart when they didn't allow all four
character set enforcement out of the box.
-----Original Message-----
From: listbounce@securityfocus.com on behalf of Ansgar -59cobalt- Wiechers
Sent: Wed 8/15/2007 2:39 PM
To: focus-ms@securityfocus.com
Cc:
Subject: Re: Password complexity - improvement
On 2007-08-15 dubaisans dubai wrote:
Is there a way to improve the password complexity requirements in
Windows 2000/2003 servers
The default will enforce 3 of the following 4 properties - Uppercase,
smallercase, numbers, special-characters.
Is there a way to enforce all 4 properties.
Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on your
security.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
