Subject: Re: security/10206 - proposed solution (concept)
To: Elad Efrat <>
From: Simon J. Gerraty <>
List: tech-security
Date: 09/03/2005 14:34:01
>The current version has the following options when setting a policy:
>minlen, maxlen, upper, lower, digits, punct.

I've implemented something similar in another OS...

>An example entry in /etc/passwd.conf for at least 8 character passwords
>combining both upper/lower case and digits can be:

>  minlen = 8
>  upper = yes
>  lower = yes
>  digits = yes

Actually I think this is a bad idea - it actually helps an attacker narrow
the keyspace.  The appoach I took was to document the different character 
sets that the full ascii space is devided into, and then have a setting that
states how many of those sets have to be used.  No detail of which ones
are used so an attacker still has to consider them all.

I also have another mode where the restiction simply states how many times
the passwd must change character set - but this can be met using only two
sets and toggling between then - but again an attacker cannot deduce from
the config that the keyspace has been narrowed.

Apart from anything else, keeping the full keyspace is good when 
trying to meet requirements like FIPS 140 or the 
Common Criteria FIA_SOS family.