AD and enforced password policies

Steven Bellovin smb at
Mon Jan 2 19:45:29 CST 2012

On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:

> On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia at> wrote:
> ....
>> The sole root cause for "easily guessable passwords"  is  not  lack of
>> technical restrictions. It's also:  lazy or limited memory humans who need
>> passwords that they can remember.
>> Firstname1234!    is very easy to guess, and meets complexity and usual
>> length requirements.
> Obligatory xkcd reference:
Thanks; you saved me the trouble.

There's a discussion of the topic going on right now on a cryptography mailing
list; check out if you want.
Also see my (mostly tongue in cheek) blog post at
and the very serious followup at

I should add that except for targeted attacks, strong passwords are greatly
overrated; neither phishing attacks nor keystroke loggers care how good your 
password is.

I just went through some calculations for a (government) site that has the
following rules:

      Minimum Length : 8
      Maximum Length : 12
      Maximum Repeated Characters : 2
      Minimum Alphabetic Characters Required : 1
      Minimum Numeric Characters Required : 1
      Starts with a Numeric Character
      No User Name
      No past passwords
      At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`!

Under the plausible assumption that very many people will start with a string
of digits, continue with a string of lower-case letters to reach seven characters,
and then add a period, there are only ~5,000,000,000 choices.  That's not many at
all -- but the rules look just fine...

		--Steve Bellovin,

More information about the NANOG mailing list