Password complexity requirements

vasp
vasp used Ask the Experts™
on
Hello,

Have just received a nice new server and am in the middle of setting up the group policies etc...

A requirement has come up that passwords to user accounts will have to be (say):

(1)8 characters long
(2)Have at least 2 upper case characters
(3)Have at least 2 lower case characters
(4)And have at least 2 numerical characters.

I am aware that navigating to: Windows Settings/Account Policies/Password Policies> in the Domain Controller Security Policy snap-in allows me to enable or disable a policy entitled - "Passwords must meet complexity requirements".

However, there is no way to redefine the criteria against which this policy checks.  Indeed I think it is set to:

1)Passwords must be at least six (6) characters long.
2)Passwords must contain characters from at least three of the following four (4) classes:


Description                             Examples
----------------------------------------------------------

English upper case letters              A, B, C, ... Z
English lower case letters              a, b, c, ... z
Westernized Arabic numerals             0, 1, 2, ... 9
Non-alphanumeric ("special characters") such as punctuation symbols
                         
3)Passwords may not contain your user name or any part of your full name.



Anybody aware of a way to customise the criteria for password comlexity?

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
jkr
Top Expert 2012

Commented:
See http://support.microsoft.com/default.aspx?scid=KB;en-us;279890& for the criteria. The only way to customize the criteria is to write your own password filter DLL - for a starting point, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/installing_and_registering_a_password_filter_dll.asp

Commented:
jkr is absolutely correct. Here's the link to the exact procedure and some source code http://support.microsoft.com/default.aspx?scid=KB;en-us;q151082

Commented:
If you're not into doing it yourself (just not bothered to get Windows SDK and troubleshoot a DLL.. ugh!) there's a ready version here:

http://www.ntsecurity.nu/toolbox/strongpass/

It enforces at least 7 letters+upper/lower/alpha+specialchar combinations

It's not exactly what you wanted to enforce, but it beats writing your own code!
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Commented:
Anddd.. (these just keep coming up!) a utility that will create the DLL for you! Easily customizable, a LOT of functionality, and no coding required!

http://www.altusnet.com/passfilt/index.htm

Sounds too good to be true? Yeah it costs $600 .. :)

Author

Commented:
Excellent!  Now remind me how to split these points for you guys....

jkr
Top Expert 2012

Commented:
>>Now remind me how to split these points for you guys

You can post a Q at CS - http://www.experts-exchange.com/Community_Support/

Commented:
(listening...)
- as fyi, ours is like requiring only three of the four you mention. So we don't have to do lower case, if we do upper case, numeric & symbols, for example.

Commented:
<Asker>:

I've refunded 100 points to enable you to accept the comment for one expert and to post a
"Points for <expertname>" Q for the other expert in the same topic area.

Please:
1) Post the link to the original Q in the "Points for <expertname>" and
2) Add in the original Q a comment with the link to the "Points for <expertname>", thus the email notif will warn the expert.

modulo

Community Support Moderator
Experts Exchange

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial