Solved

password complexity

Posted on 2004-09-08
24
1,099 Views
Last Modified: 2008-02-01
Which part of windows server is set up the password complexity after it's enabled.

For instance if  the administrator wants a  user to have at least 2 numbers in the password, one dash, one capital letter ...how do they specify that?

0
Comment
Question by:Chuckbuchan
  • 9
  • 5
  • 5
  • +3
24 Comments
 
LVL 15

Accepted Solution

by:
Yan_west earned 250 total points
ID: 12009671
No you cannot do that unfortunatly.. I know, I asked the same question a while ago..... To do it, you have to use a third party software like this:

http://www.anixis.com/products/ppe/default.htm
0
 
LVL 3

Expert Comment

by:frieked
ID: 12009707
Domain security policy (in administrative tools)
Security settings->Account policies->Password policy
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12009723
This is where you have to set it up, but you cannot define the complexity there...
0
 

Author Comment

by:Chuckbuchan
ID: 12009747
for Frieked: well when I get there, the only thing I can do is enable or disable, nothing else
0
 

Author Comment

by:Chuckbuchan
ID: 12010026
I documented online, and found that it requires passfit.dll, but I need kind of  step by step walkthrough to understand clearly how it works
0
 

Author Comment

by:Chuckbuchan
ID: 12010609
For Yan West : did you try that and managed to customize the password complexity the way you wanted it?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12010635
I will be evaluating it shortly, just waiting for the manager aproval. Heard alot of good of it, and I read some newsgroup post of people who used it sucessfuly.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12011921
What exactly is the version of windows you are runnning? Frieked is correct for Win2K domains.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12013434
You are aware of course that if you set password policy too strict that you will force users to generate (or generate for them) passwords which they cannot remember and are compelled to write down, at which point you have just vaporized your entire password security scheme?  One of my relatives works at a company that refuses to allow her to reuse passwords (not too bad of an idea if you don't make users have too many different passwords), but also generates these completely riduculous random passwords for their users, so the end result is that my relative has this huge list of passwords written down, like:

a2jhD7-dqD
87d-f89sFs
98djhfg-sD
8fg-df3d34
etc...

which is obviously just wating for someone to steal the list and destroy the network (Yes, she has enough access to destroy a large chunk of the nationwide network).

Cheers,
-Jon

0
 

Expert Comment

by:sl1210
ID: 12014864
If you want to use something certified by microsoft rather than a 3rd party, there is a utility called passprop.exe on the windows nt resource kit (it is easy to find on google).
It doesn't let you specify exactly what you want, e.g. 2 capitals and 4 symbols, but it will force a mixture of upper and lowecase with numbers or symbols. here is the output from the help file from dos, it shows the switches you can use.

Displays or modifies domain policies for password complexity and

administrator lockout.



PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]



    /complex            Force passwords to be complex, requiring passwords

                        to be a mix of upper and lowercase letters and

                        numbers or symbols.



    /simple             Allow passwords to be simple.



    /adminlockout       Allow the Administrator account to be locked out.

                        The Administrator account can still log on

                        interactively on domain controllers.



    /noadminlockout     Don't allow the administrator account to be locked

                        out.



Additional properties can be set using User Manager or the NET ACCOUNTS

command.

0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12015780
All these utilities do not allow the user to customize the complexity of the password..
0
 

Author Comment

by:Chuckbuchan
ID: 12016006
my question is what is the next step, after I go to "Password must meet complexity requirements" window , then tick the radio button that says "Enabled".          ???
why did Microsoft put this parametere there and then for the rest someone has to look for a third party to do the rest of the job? This is only my point of view, and need some more explanations.

Thanks

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Chuckbuchan
ID: 12016387
I found 75% of the answer:
After I tick the "Enabled" radio button for "Password must meet complexity requirements" then whenever I create a new user I will assign him/her a password by referring to the following rules :

   Description                     Examples
      -----------------------------------------------

      Upper case letters              A, B, C, ... Z
      Lower case letters              a, b, c, ... z
      Westernized Arabic numerals     0, 1, 2, ... 9
      Non-alphanumeric ("special
        characters") such as
        punctuation symbols
 these rules are located on :
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q161/9/90.asp&NoWebContent=1

but the 25% left of my misunderstanding is for the symboles , which ones I am supposed to use and which ones I am not supposed to.
Or can I skip one of those requirements ? example skip Uppercase,Lower case letters ,    Westernized Arabic numerals,symboles?

0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12020789
So you did find what you were looking for then...

You can use any symbol on the keyboard
0
 

Author Comment

by:Chuckbuchan
ID: 12020819
I meant which symboles aren't allowed to be used?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12020827
Hmmm, didnt you want to be able to customize the complexity requirement??
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12021004
You need to use 3 of the 4 possibilities.

so
Password1
password#1
Password#

would all be OK. Then you can also specify your length requirement, how many of the previously used passwords will be remembered, how long between changes, etc.
0
 

Author Comment

by:Chuckbuchan
ID: 12021440
For Yan West: Actually, I am trying to understand each approach, so that I can distinguish betwween them. I know that you are afraid of loosing 250 points..............(just kidding)
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12022422
I would say that you don't need to manage password complexity. You just need to educate people about how to create passwords that meet the requirements but are still easy to remember. I generally take a word or a name I'm comfortable with, intentionally misspell it by changing a letter, make one a capital and one a number. So Michael might become michEe1 or N1chaEl. My misspelling is what makes it unpredictable.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12024397
Incredibly wise advice - this is what I was getting at previously.  Passwords that are too complex just forces users to write them down, which blows the whole intended security scheme.  IMO, educating users (abeit a difficult endeavor), would improve the situation much more than an overly strict password policy.

Cheers,
-Jon

0
 

Author Comment

by:Chuckbuchan
ID: 12084021
I will get back with you all guys, am just kind of busy now.
Thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12095986
To Yan West: I downloaded that software , and tried it, it was really a good one.
I want to ask you if it's a trustable site and trustable piece of software.  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12109262
From the eval guide at the link provided by Yan West:

>The first five passwords in this table are rejected by PPE because they
>do not comply with the password policy. The last three passwords are
>accepted because they do comply with the policy, however this
>highlights a weakness in this password policy.
>• tseTEPP is part of the Username with the characters reversed
>• kravdraA is Aardvark with the characters reversed
>• Aar)vark is Aardvark with a ) substituting the d
>These passwords are only marginally stronger than the rejected
>passwords. The next section will show you how to improve the
>password policy.

Methinks the folks selling this product just don't "get it".  They love to cite studies by security folk who talk about weak passwords creating vulnurabilities, but they fail to mention similar studies that show how overly difficult [hard-to-remember] passwords] also create vulnurabilities (I guess that would make it harder to sell their product).  

I am particularly taken aback with their last bullet point:

"Aar)vark is Aardvark with a ) substituting the d"

Are you kidding me?!?  Are they seriously suggesting that someone is just going to guess that you should put a ')' character where the 'd' was?  We all know that they only real way an attacker is going to guess that one is by a brute force password generator that substitutes ever possible character for every existing character in every possible dictionary word (never mind that that would take decades).  The fact that they are willing to ignore the obvious math illustrates the quality of their ethics, and their overall product, IMO.

I'm wondering what sort of system you are using that would be vulnerable to dictionary attacks, anyhow - don't microsoft logons have the option of locking you out after x number of bad password entries?  Seems like most attackers wouldn't get farther than the first few words beginning with the letter A before the attack was automatically terminated by your software.

I read a quite amusing article recently titled "The Internet is too secure" which was basically describing how most security "experts" focus on esoteric concerns like the exact strength of their passwords rather than obvious avenues of compromise (ie unpatched microsoft OSs, Joe users opening an infested email, Joe user inadvertently installing spyware from some seemingly benign website, etc).

Some of my passwords would certainly fail some of the tests advanced by the saledroids trying to sell that password strength tester - wanna know how often my passwords have been guessed?  Absolutely zero.  Sure, I've been bitten by old vulnurabilities in unpatched OSs, gotten hit by a virus or two, and have certainly had my share of spyware infestations (when are they going to make that crap illegal, already?), but guessed/cracked my passwords?  None whatsoever.

Cheers,
-Jon



0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12114225
Maybe they are also in the Post-it business :-)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now