I am aware of a company that has instituted a policy that limits a specific character in people's passwords to being a numeric character. Personally, I am confused at this policy. It seems to me that placing such a specific limit on a specific position in a password simply reduces the number of guesses that someone would have to try in a brute force attack. Does anyone out there know if there is any theoretical basis for believing that a policy to limit a specific character position in passwords to a numeric character will enhance security. If not, does anyone know how such a misunderstanding might have occurred? Adrian
