Chuckbuchan
asked on
password complexity
Which part of windows server is set up the password complexity after it's enabled.
For instance if the administrator wants a user to have at least 2 numbers in the password, one dash, one capital letter ...how do they specify that?
For instance if the administrator wants a user to have at least 2 numbers in the password, one dash, one capital letter ...how do they specify that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is where you have to set it up, but you cannot define the complexity there...
ASKER
for Frieked: well when I get there, the only thing I can do is enable or disable, nothing else
ASKER
I documented online, and found that it requires passfit.dll, but I need kind of step by step walkthrough to understand clearly how it works
ASKER
For Yan West : did you try that and managed to customize the password complexity the way you wanted it?
I will be evaluating it shortly, just waiting for the manager aproval. Heard alot of good of it, and I read some newsgroup post of people who used it sucessfuly.
What exactly is the version of windows you are runnning? Frieked is correct for Win2K domains.
You are aware of course that if you set password policy too strict that you will force users to generate (or generate for them) passwords which they cannot remember and are compelled to write down, at which point you have just vaporized your entire password security scheme? One of my relatives works at a company that refuses to allow her to reuse passwords (not too bad of an idea if you don't make users have too many different passwords), but also generates these completely riduculous random passwords for their users, so the end result is that my relative has this huge list of passwords written down, like:
a2jhD7-dqD
87d-f89sFs
98djhfg-sD
8fg-df3d34
etc...
which is obviously just wating for someone to steal the list and destroy the network (Yes, she has enough access to destroy a large chunk of the nationwide network).
Cheers,
-Jon
a2jhD7-dqD
87d-f89sFs
98djhfg-sD
8fg-df3d34
etc...
which is obviously just wating for someone to steal the list and destroy the network (Yes, she has enough access to destroy a large chunk of the nationwide network).
Cheers,
-Jon
If you want to use something certified by microsoft rather than a 3rd party, there is a utility called passprop.exe on the windows nt resource kit (it is easy to find on google).
It doesn't let you specify exactly what you want, e.g. 2 capitals and 4 symbols, but it will force a mixture of upper and lowecase with numbers or symbols. here is the output from the help file from dos, it shows the switches you can use.
Displays or modifies domain policies for password complexity and
administrator lockout.
PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]
/complex Force passwords to be complex, requiring passwords
to be a mix of upper and lowercase letters and
numbers or symbols.
/simple Allow passwords to be simple.
/adminlockout Allow the Administrator account to be locked out.
The Administrator account can still log on
interactively on domain controllers.
/noadminlockout Don't allow the administrator account to be locked
out.
Additional properties can be set using User Manager or the NET ACCOUNTS
command.
It doesn't let you specify exactly what you want, e.g. 2 capitals and 4 symbols, but it will force a mixture of upper and lowecase with numbers or symbols. here is the output from the help file from dos, it shows the switches you can use.
Displays or modifies domain policies for password complexity and
administrator lockout.
PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]
/complex Force passwords to be complex, requiring passwords
to be a mix of upper and lowercase letters and
numbers or symbols.
/simple Allow passwords to be simple.
/adminlockout Allow the Administrator account to be locked out.
The Administrator account can still log on
interactively on domain controllers.
/noadminlockout Don't allow the administrator account to be locked
out.
Additional properties can be set using User Manager or the NET ACCOUNTS
command.
All these utilities do not allow the user to customize the complexity of the password..
ASKER
my question is what is the next step, after I go to "Password must meet complexity requirements" window , then tick the radio button that says "Enabled". ???
why did Microsoft put this parametere there and then for the rest someone has to look for a third party to do the rest of the job? This is only my point of view, and need some more explanations.
Thanks
why did Microsoft put this parametere there and then for the rest someone has to look for a third party to do the rest of the job? This is only my point of view, and need some more explanations.
Thanks
ASKER
I found 75% of the answer:
After I tick the "Enabled" radio button for "Password must meet complexity requirements" then whenever I create a new user I will assign him/her a password by referring to the following rules :
Description Examples
--------------------------
Upper case letters A, B, C, ... Z
Lower case letters a, b, c, ... z
Westernized Arabic numerals 0, 1, 2, ... 9
Non-alphanumeric ("special
characters") such as
punctuation symbols
these rules are located on :
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q161/9/90.asp&NoWebContent=1
but the 25% left of my misunderstanding is for the symboles , which ones I am supposed to use and which ones I am not supposed to.
Or can I skip one of those requirements ? example skip Uppercase,Lower case letters , Westernized Arabic numerals,symboles?
After I tick the "Enabled" radio button for "Password must meet complexity requirements" then whenever I create a new user I will assign him/her a password by referring to the following rules :
Description Examples
--------------------------
Upper case letters A, B, C, ... Z
Lower case letters a, b, c, ... z
Westernized Arabic numerals 0, 1, 2, ... 9
Non-alphanumeric ("special
characters") such as
punctuation symbols
these rules are located on :
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q161/9/90.asp&NoWebContent=1
but the 25% left of my misunderstanding is for the symboles , which ones I am supposed to use and which ones I am not supposed to.
Or can I skip one of those requirements ? example skip Uppercase,Lower case letters , Westernized Arabic numerals,symboles?
So you did find what you were looking for then...
You can use any symbol on the keyboard
You can use any symbol on the keyboard
ASKER
I meant which symboles aren't allowed to be used?
Hmmm, didnt you want to be able to customize the complexity requirement??
You need to use 3 of the 4 possibilities.
so
Password1
password#1
Password#
would all be OK. Then you can also specify your length requirement, how many of the previously used passwords will be remembered, how long between changes, etc.
so
Password1
password#1
Password#
would all be OK. Then you can also specify your length requirement, how many of the previously used passwords will be remembered, how long between changes, etc.
ASKER
For Yan West: Actually, I am trying to understand each approach, so that I can distinguish betwween them. I know that you are afraid of loosing 250 points..............(just kidding)
I would say that you don't need to manage password complexity. You just need to educate people about how to create passwords that meet the requirements but are still easy to remember. I generally take a word or a name I'm comfortable with, intentionally misspell it by changing a letter, make one a capital and one a number. So Michael might become michEe1 or N1chaEl. My misspelling is what makes it unpredictable.
Incredibly wise advice - this is what I was getting at previously. Passwords that are too complex just forces users to write them down, which blows the whole intended security scheme. IMO, educating users (abeit a difficult endeavor), would improve the situation much more than an overly strict password policy.
Cheers,
-Jon
Cheers,
-Jon
ASKER
I will get back with you all guys, am just kind of busy now.
Thanks
Thanks
ASKER
To Yan West: I downloaded that software , and tried it, it was really a good one.
I want to ask you if it's a trustable site and trustable piece of software.
I want to ask you if it's a trustable site and trustable piece of software.
From the eval guide at the link provided by Yan West:
>The first five passwords in this table are rejected by PPE because they
>do not comply with the password policy. The last three passwords are
>accepted because they do comply with the policy, however this
>highlights a weakness in this password policy.
>• tseTEPP is part of the Username with the characters reversed
>• kravdraA is Aardvark with the characters reversed
>• Aar)vark is Aardvark with a ) substituting the d
>These passwords are only marginally stronger than the rejected
>passwords. The next section will show you how to improve the
>password policy.
Methinks the folks selling this product just don't "get it". They love to cite studies by security folk who talk about weak passwords creating vulnurabilities, but they fail to mention similar studies that show how overly difficult [hard-to-remember] passwords] also create vulnurabilities (I guess that would make it harder to sell their product).
I am particularly taken aback with their last bullet point:
"Aar)vark is Aardvark with a ) substituting the d"
Are you kidding me?!? Are they seriously suggesting that someone is just going to guess that you should put a ')' character where the 'd' was? We all know that they only real way an attacker is going to guess that one is by a brute force password generator that substitutes ever possible character for every existing character in every possible dictionary word (never mind that that would take decades). The fact that they are willing to ignore the obvious math illustrates the quality of their ethics, and their overall product, IMO.
I'm wondering what sort of system you are using that would be vulnerable to dictionary attacks, anyhow - don't microsoft logons have the option of locking you out after x number of bad password entries? Seems like most attackers wouldn't get farther than the first few words beginning with the letter A before the attack was automatically terminated by your software.
I read a quite amusing article recently titled "The Internet is too secure" which was basically describing how most security "experts" focus on esoteric concerns like the exact strength of their passwords rather than obvious avenues of compromise (ie unpatched microsoft OSs, Joe users opening an infested email, Joe user inadvertently installing spyware from some seemingly benign website, etc).
Some of my passwords would certainly fail some of the tests advanced by the saledroids trying to sell that password strength tester - wanna know how often my passwords have been guessed? Absolutely zero. Sure, I've been bitten by old vulnurabilities in unpatched OSs, gotten hit by a virus or two, and have certainly had my share of spyware infestations (when are they going to make that crap illegal, already?), but guessed/cracked my passwords? None whatsoever.
Cheers,
-Jon
>The first five passwords in this table are rejected by PPE because they
>do not comply with the password policy. The last three passwords are
>accepted because they do comply with the policy, however this
>highlights a weakness in this password policy.
>• tseTEPP is part of the Username with the characters reversed
>• kravdraA is Aardvark with the characters reversed
>• Aar)vark is Aardvark with a ) substituting the d
>These passwords are only marginally stronger than the rejected
>passwords. The next section will show you how to improve the
>password policy.
Methinks the folks selling this product just don't "get it". They love to cite studies by security folk who talk about weak passwords creating vulnurabilities, but they fail to mention similar studies that show how overly difficult [hard-to-remember] passwords] also create vulnurabilities (I guess that would make it harder to sell their product).
I am particularly taken aback with their last bullet point:
"Aar)vark is Aardvark with a ) substituting the d"
Are you kidding me?!? Are they seriously suggesting that someone is just going to guess that you should put a ')' character where the 'd' was? We all know that they only real way an attacker is going to guess that one is by a brute force password generator that substitutes ever possible character for every existing character in every possible dictionary word (never mind that that would take decades). The fact that they are willing to ignore the obvious math illustrates the quality of their ethics, and their overall product, IMO.
I'm wondering what sort of system you are using that would be vulnerable to dictionary attacks, anyhow - don't microsoft logons have the option of locking you out after x number of bad password entries? Seems like most attackers wouldn't get farther than the first few words beginning with the letter A before the attack was automatically terminated by your software.
I read a quite amusing article recently titled "The Internet is too secure" which was basically describing how most security "experts" focus on esoteric concerns like the exact strength of their passwords rather than obvious avenues of compromise (ie unpatched microsoft OSs, Joe users opening an infested email, Joe user inadvertently installing spyware from some seemingly benign website, etc).
Some of my passwords would certainly fail some of the tests advanced by the saledroids trying to sell that password strength tester - wanna know how often my passwords have been guessed? Absolutely zero. Sure, I've been bitten by old vulnurabilities in unpatched OSs, gotten hit by a virus or two, and have certainly had my share of spyware infestations (when are they going to make that crap illegal, already?), but guessed/cracked my passwords? None whatsoever.
Cheers,
-Jon
Maybe they are also in the Post-it business :-)
Security settings->Account policies->Password policy