There are a couple of issues to consider here. Mathematically, it is a weaker password because you limit yourself to ten possible characters as one of the characters in the password string and it's a simple combinatorics exercise to figure it out. For example, if we limit ourselves to printing ASCII characters (94 of them if I counted correctly) as the set of all possible password characters and assume the use of an eight character password we have 6095689385410816 possible combinations (94^8. If we limit one character of the password string to be a numeral though, we only have 648477594192640 possible combinations. By not limiting one character to being a numeral you achieve 9.4 times the number of possible combinations. Added to this are your other concerns. If one particular position in the string is required to be the numeral then there will be less guess work involved as opposed to at least one position (any position) being a numeral. For that matter, the number of possible password combinations goes down even more dramatically if you only allow one position to be a numeral (295090346557440 combinations). Remove non alpha-numerics and it is further reduced. You see where this is going. A softer side to this is that users will often increment the numeral making it fairly easy for an attacker to guess. Or maybe the numeral corresponding to the calendar month is always used. So on and so forth Chris On Tue, 10 Sep 2002, L. Adrian Griffis wrote: > > I am aware of a company that has instituted a policy that limits a > specific character in people's passwords to being a numeric character. > Personally, I am confused at this policy. It seems to me that > placing such a specific limit on a specific position in a password > simply reduces the number of guesses that someone would have to try > in a brute force attack. > > Does anyone out there know if there is any theoretical basis for > believing that a policy to limit a specific character position > in passwords to a numeric character will enhance security. If not, > does anyone know how such a misunderstanding might have occurred? > > Adrian > >
