Microsoft Says Two Basic Security Steps Might Have Stopped Conficker
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Indeed.
And not only that, but by imposing published restrictions on the password, you reduce the number of possible passwords, making brute force attacks easier.
Just by saying "at least one digit", you reduce a brute force attacker's job by at least a factor of 9.5 (given you use ASCII; even more if you allow ISO-8859-x or Unicode). You reduce the time until any random password is cracked by about an order of magnitude. Or, put another way, the cracker can use a partial rainbow table that covers almost ten times as much of the total space.