• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1134
  • Last Modified:

password complexity

Which part of windows server is set up the password complexity after it's enabled.

For instance if  the administrator wants a  user to have at least 2 numbers in the password, one dash, one capital letter ...how do they specify that?

0
Chuckbuchan
Asked:
Chuckbuchan
  • 9
  • 5
  • 5
  • +3
1 Solution
 
Yan_westCommented:
No you cannot do that unfortunatly.. I know, I asked the same question a while ago..... To do it, you have to use a third party software like this:

http://www.anixis.com/products/ppe/default.htm
0
 
friekedCommented:
Domain security policy (in administrative tools)
Security settings->Account policies->Password policy
0
 
Yan_westCommented:
This is where you have to set it up, but you cannot define the complexity there...
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
ChuckbuchanAuthor Commented:
for Frieked: well when I get there, the only thing I can do is enable or disable, nothing else
0
 
ChuckbuchanAuthor Commented:
I documented online, and found that it requires passfit.dll, but I need kind of  step by step walkthrough to understand clearly how it works
0
 
ChuckbuchanAuthor Commented:
For Yan West : did you try that and managed to customize the password complexity the way you wanted it?
0
 
Yan_westCommented:
I will be evaluating it shortly, just waiting for the manager aproval. Heard alot of good of it, and I read some newsgroup post of people who used it sucessfuly.
0
 
mikebernhardtCommented:
What exactly is the version of windows you are runnning? Frieked is correct for Win2K domains.
0
 
The--CaptainCommented:
You are aware of course that if you set password policy too strict that you will force users to generate (or generate for them) passwords which they cannot remember and are compelled to write down, at which point you have just vaporized your entire password security scheme?  One of my relatives works at a company that refuses to allow her to reuse passwords (not too bad of an idea if you don't make users have too many different passwords), but also generates these completely riduculous random passwords for their users, so the end result is that my relative has this huge list of passwords written down, like:

a2jhD7-dqD
87d-f89sFs
98djhfg-sD
8fg-df3d34
etc...

which is obviously just wating for someone to steal the list and destroy the network (Yes, she has enough access to destroy a large chunk of the nationwide network).

Cheers,
-Jon

0
 
sl1210Commented:
If you want to use something certified by microsoft rather than a 3rd party, there is a utility called passprop.exe on the windows nt resource kit (it is easy to find on google).
It doesn't let you specify exactly what you want, e.g. 2 capitals and 4 symbols, but it will force a mixture of upper and lowecase with numbers or symbols. here is the output from the help file from dos, it shows the switches you can use.

Displays or modifies domain policies for password complexity and

administrator lockout.



PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]



    /complex            Force passwords to be complex, requiring passwords

                        to be a mix of upper and lowercase letters and

                        numbers or symbols.



    /simple             Allow passwords to be simple.



    /adminlockout       Allow the Administrator account to be locked out.

                        The Administrator account can still log on

                        interactively on domain controllers.



    /noadminlockout     Don't allow the administrator account to be locked

                        out.



Additional properties can be set using User Manager or the NET ACCOUNTS

command.

0
 
Yan_westCommented:
All these utilities do not allow the user to customize the complexity of the password..
0
 
ChuckbuchanAuthor Commented:
my question is what is the next step, after I go to "Password must meet complexity requirements" window , then tick the radio button that says "Enabled".          ???
why did Microsoft put this parametere there and then for the rest someone has to look for a third party to do the rest of the job? This is only my point of view, and need some more explanations.

Thanks

0
 
ChuckbuchanAuthor Commented:
I found 75% of the answer:
After I tick the "Enabled" radio button for "Password must meet complexity requirements" then whenever I create a new user I will assign him/her a password by referring to the following rules :

   Description                     Examples
      -----------------------------------------------

      Upper case letters              A, B, C, ... Z
      Lower case letters              a, b, c, ... z
      Westernized Arabic numerals     0, 1, 2, ... 9
      Non-alphanumeric ("special
        characters") such as
        punctuation symbols
 these rules are located on :
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q161/9/90.asp&NoWebContent=1

but the 25% left of my misunderstanding is for the symboles , which ones I am supposed to use and which ones I am not supposed to.
Or can I skip one of those requirements ? example skip Uppercase,Lower case letters ,    Westernized Arabic numerals,symboles?

0
 
mikebernhardtCommented:
So you did find what you were looking for then...

You can use any symbol on the keyboard
0
 
ChuckbuchanAuthor Commented:
I meant which symboles aren't allowed to be used?
0
 
Yan_westCommented:
Hmmm, didnt you want to be able to customize the complexity requirement??
0
 
mikebernhardtCommented:
You need to use 3 of the 4 possibilities.

so
Password1
password#1
Password#

would all be OK. Then you can also specify your length requirement, how many of the previously used passwords will be remembered, how long between changes, etc.
0
 
ChuckbuchanAuthor Commented:
For Yan West: Actually, I am trying to understand each approach, so that I can distinguish betwween them. I know that you are afraid of loosing 250 points..............(just kidding)
0
 
mikebernhardtCommented:
I would say that you don't need to manage password complexity. You just need to educate people about how to create passwords that meet the requirements but are still easy to remember. I generally take a word or a name I'm comfortable with, intentionally misspell it by changing a letter, make one a capital and one a number. So Michael might become michEe1 or N1chaEl. My misspelling is what makes it unpredictable.
0
 
The--CaptainCommented:
Incredibly wise advice - this is what I was getting at previously.  Passwords that are too complex just forces users to write them down, which blows the whole intended security scheme.  IMO, educating users (abeit a difficult endeavor), would improve the situation much more than an overly strict password policy.

Cheers,
-Jon

0
 
ChuckbuchanAuthor Commented:
I will get back with you all guys, am just kind of busy now.
Thanks
0
 
ChuckbuchanAuthor Commented:
To Yan West: I downloaded that software , and tried it, it was really a good one.
I want to ask you if it's a trustable site and trustable piece of software.  
0
 
The--CaptainCommented:
From the eval guide at the link provided by Yan West:

>The first five passwords in this table are rejected by PPE because they
>do not comply with the password policy. The last three passwords are
>accepted because they do comply with the policy, however this
>highlights a weakness in this password policy.
>• tseTEPP is part of the Username with the characters reversed
>• kravdraA is Aardvark with the characters reversed
>• Aar)vark is Aardvark with a ) substituting the d
>These passwords are only marginally stronger than the rejected
>passwords. The next section will show you how to improve the
>password policy.

Methinks the folks selling this product just don't "get it".  They love to cite studies by security folk who talk about weak passwords creating vulnurabilities, but they fail to mention similar studies that show how overly difficult [hard-to-remember] passwords] also create vulnurabilities (I guess that would make it harder to sell their product).  

I am particularly taken aback with their last bullet point:

"Aar)vark is Aardvark with a ) substituting the d"

Are you kidding me?!?  Are they seriously suggesting that someone is just going to guess that you should put a ')' character where the 'd' was?  We all know that they only real way an attacker is going to guess that one is by a brute force password generator that substitutes ever possible character for every existing character in every possible dictionary word (never mind that that would take decades).  The fact that they are willing to ignore the obvious math illustrates the quality of their ethics, and their overall product, IMO.

I'm wondering what sort of system you are using that would be vulnerable to dictionary attacks, anyhow - don't microsoft logons have the option of locking you out after x number of bad password entries?  Seems like most attackers wouldn't get farther than the first few words beginning with the letter A before the attack was automatically terminated by your software.

I read a quite amusing article recently titled "The Internet is too secure" which was basically describing how most security "experts" focus on esoteric concerns like the exact strength of their passwords rather than obvious avenues of compromise (ie unpatched microsoft OSs, Joe users opening an infested email, Joe user inadvertently installing spyware from some seemingly benign website, etc).

Some of my passwords would certainly fail some of the tests advanced by the saledroids trying to sell that password strength tester - wanna know how often my passwords have been guessed?  Absolutely zero.  Sure, I've been bitten by old vulnurabilities in unpatched OSs, gotten hit by a virus or two, and have certainly had my share of spyware infestations (when are they going to make that crap illegal, already?), but guessed/cracked my passwords?  None whatsoever.

Cheers,
-Jon



0
 
mikebernhardtCommented:
Maybe they are also in the Post-it business :-)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 5
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now