Avatar of iamuser
iamuser
 asked on

Windows 2008 R2 complex password requirements - changing

Upper management at our company is not happy with the passwords that users are coming up with/using. It is not secure enough even with password complexity enabled.

The password complexity settings in MS, is a hit or miss when getting users to create a secure password

Contain characters from three of the following four categories:

    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)
    Complexity requirements are enforced when passwords are changed or created.

We have users doing enough to meet the first 3 requirement 90% of the time. We like to force the first 4 requirement but by default there is no way to do that. So we wondering if there Is any way to do this at all? Via Schema, via 3 party app, and etc?
OS SecurityActive DirectoryMicrosoft Server OS

Avatar of undefined
Last Comment
iamuser

8/22/2022 - Mon
McKnife

There's no built-in way, yet.
Look at anixis' Password policy enforcer: http://anixis.com/products/ppe/
It can do all that and more. it is easy to administer and reasonably priced in my opinion.
Walter Padrón

In my experience this kind of password complexity leads to users writing passwords on sticky notes and attaching them to the monitor. Maybe you should use  a second authentication method such as a smart-card, biometrics, etc. An increased security cost a lot more.

Best regards
iamuser

ASKER
It's not my call. Upper management wants this for all users. We have explained it many times over that users are not prone to remember their passwords and that it'll be on post it notes.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Walter Padrón

You can use a third-party solution or you can create your own password filter.
Here is sample code http://www.devx.com/security/Article/21522/0/page/4

Best regards
iamuser

ASKER
In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter

Right now we are using Fine grain password policy. We don't want 1 password policy for everyone. Can this work with Fine grain password policy?
ASKER CERTIFIED SOLUTION
Walter Padrón

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
iamuser

ASKER
The issue is we don't want this to apply to any accounts that we use for services. If we use this then all accounts will be affected including our services account.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
iamuser

ASKER
AH, okay, the ANIXIS PPE will allow me to have difference policies for different groups of users.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
iamuser

ASKER
I'm stuck between a rock and a hard place. I'll bring it up at my meeting with management and see where they want to go. They seem to believe that they know more. God....I hate paper pushers
Rich Rumble

Having a short password (length=8) and requiring all 4 classes (upper, lower, digit, and special) will HURT the password's entropy! If more than 8 it's not as bad, but still has some degradation. Increasing the minimum length helps in all cases.

From my article: If you require all four possible generic polices, at least one digit,  one upper, one lower and one special, and the minimum length is eight, you've reduced the guessing by over half. Instead of 6,704,780,954,517,120 possible it's reduced to 3,025,989,069,143,040 , which is a 55% reduction when the password is only 8 characters long. The attacker will get your passwords that are 8 characters in half the time, if all things were equal.
http://openwall.info/wiki/john/policy [Effect of password policies on keyspace reduction]
-rich
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
McKnife

Ok, these details are on password security. There are different approaches to create a safe password and there are different approaches to enforce safe passwords. At the same time one has to know how attacks could be carried out, because without holding something to attack, it's all irrelevant if strong or weak.

In a discussion I had with pentesters that are certified by the german government, they said they would use the following strategy: Length 15 or more (they themselves used 20) and construct a password this way:
Take three words that stand in no logical connection (screw, horse, picture), damage them a little (or use local dialect) and put some special characters and/or numbers in between, result:
skroo#Hooss%picksha9
This is long (20), easy to remember and fast to type. That is their recommended strategy. I started to argue: what if the attacker knows that this is the recommended company pw policy? What if, after all, people are not so creative and mostly just select all-too-common words like mother/house/tele/book/dog/lamp/xbox/iPhone/...? Wouldn't it be possible to construct a very sophisticated dictionary attack? I think it would. And since we cannot prevent dictionary words with windows' own means, many will end up like
Moon2dogs,howling!!!
So I really recommend to use a software that does dictionary and similarity checks. Because once a shoulder-surfer-type attacker sees "Moon2dogs,howling!!!" typed once or twice, he has it. And maybe from then on, that user will go on like this and his next password would be
Moon3dogs,howling!!!
... :|
Rich Rumble

All good points, and this is possible, have a look at hashcat's combinator attack: https://hashcat.net/wiki/doku.php?id=combinator_attack
https://hashcat.net/events/p14/I%20have%20the%20%23cat%20i%20make%20the%20rules_YC.pdf
Straight-up dictionary words are not helping, but the length of all of them is, and leet'ing them doesn't add much either (e=3 and so on).. but like I lay out in my articles, using words that are broken or out of place makes this harder: kant-dew-that-2-mi
But based on length alone, Moon2dogs,howling!!! is actually an excellent password. Having a big list of words, doesn't give them context, so moon, dogs and howling would have to simply "come up" in the attempt, and would not necessarily be quick to find, there are no weighting that I'm aware of to words that may occur close to one another. A computer doesn't know that moon, dogs and howling are associated with one another. There will be soon, but as of now, I don't know of such work being done by the hacking community.
-rich
iamuser

ASKER
awesomee guys
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.