iamuser
asked on
Windows 2008 R2 complex password requirements - changing
Upper management at our company is not happy with the passwords that users are coming up with/using. It is not secure enough even with password complexity enabled.
The password complexity settings in MS, is a hit or miss when getting users to create a secure password
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
We have users doing enough to meet the first 3 requirement 90% of the time. We like to force the first 4 requirement but by default there is no way to do that. So we wondering if there Is any way to do this at all? Via Schema, via 3 party app, and etc?
The password complexity settings in MS, is a hit or miss when getting users to create a secure password
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
We have users doing enough to meet the first 3 requirement 90% of the time. We like to force the first 4 requirement but by default there is no way to do that. So we wondering if there Is any way to do this at all? Via Schema, via 3 party app, and etc?
In my experience this kind of password complexity leads to users writing passwords on sticky notes and attaching them to the monitor. Maybe you should use a second authentication method such as a smart-card, biometrics, etc. An increased security cost a lot more.
Best regards
Best regards
ASKER
It's not my call. Upper management wants this for all users. We have explained it many times over that users are not prone to remember their passwords and that it'll be on post it notes.
You can use a third-party solution or you can create your own password filter.
Here is sample code http://www.devx.com/security/Article/21522/0/page/4
Best regards
Here is sample code http://www.devx.com/security/Article/21522/0/page/4
Best regards
ASKER
In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter
Right now we are using Fine grain password policy. We don't want 1 password policy for everyone. Can this work with Fine grain password policy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue is we don't want this to apply to any accounts that we use for services. If we use this then all accounts will be affected including our services account.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
AH, okay, the ANIXIS PPE will allow me to have difference policies for different groups of users.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm stuck between a rock and a hard place. I'll bring it up at my meeting with management and see where they want to go. They seem to believe that they know more. God....I hate paper pushers
Having a short password (length=8) and requiring all 4 classes (upper, lower, digit, and special) will HURT the password's entropy! If more than 8 it's not as bad, but still has some degradation. Increasing the minimum length helps in all cases.
From my article: If you require all four possible generic polices, at least one digit, one upper, one lower and one special, and the minimum length is eight, you've reduced the guessing by over half. Instead of 6,704,780,954,517,120 possible it's reduced to 3,025,989,069,143,040 , which is a 55% reduction when the password is only 8 characters long. The attacker will get your passwords that are 8 characters in half the time, if all things were equal.
http://openwall.info/wiki/john/policy [Effect of password policies on keyspace reduction]
-rich
From my article: If you require all four possible generic polices, at least one digit, one upper, one lower and one special, and the minimum length is eight, you've reduced the guessing by over half. Instead of 6,704,780,954,517,120 possible it's reduced to 3,025,989,069,143,040 , which is a 55% reduction when the password is only 8 characters long. The attacker will get your passwords that are 8 characters in half the time, if all things were equal.
http://openwall.info/wiki/john/policy [Effect of password policies on keyspace reduction]
-rich
Ok, these details are on password security. There are different approaches to create a safe password and there are different approaches to enforce safe passwords. At the same time one has to know how attacks could be carried out, because without holding something to attack, it's all irrelevant if strong or weak.
In a discussion I had with pentesters that are certified by the german government, they said they would use the following strategy: Length 15 or more (they themselves used 20) and construct a password this way:
Take three words that stand in no logical connection (screw, horse, picture), damage them a little (or use local dialect) and put some special characters and/or numbers in between, result:
skroo#Hooss%picksha9
This is long (20), easy to remember and fast to type. That is their recommended strategy. I started to argue: what if the attacker knows that this is the recommended company pw policy? What if, after all, people are not so creative and mostly just select all-too-common words like mother/house/tele/book/dog
Moon2dogs,howling!!!
So I really recommend to use a software that does dictionary and similarity checks. Because once a shoulder-surfer-type attacker sees "Moon2dogs,howling!!!" typed once or twice, he has it. And maybe from then on, that user will go on like this and his next password would be
Moon3dogs,howling!!!
... :|
In a discussion I had with pentesters that are certified by the german government, they said they would use the following strategy: Length 15 or more (they themselves used 20) and construct a password this way:
Take three words that stand in no logical connection (screw, horse, picture), damage them a little (or use local dialect) and put some special characters and/or numbers in between, result:
skroo#Hooss%picksha9
This is long (20), easy to remember and fast to type. That is their recommended strategy. I started to argue: what if the attacker knows that this is the recommended company pw policy? What if, after all, people are not so creative and mostly just select all-too-common words like mother/house/tele/book/dog
Moon2dogs,howling!!!
So I really recommend to use a software that does dictionary and similarity checks. Because once a shoulder-surfer-type attacker sees "Moon2dogs,howling!!!" typed once or twice, he has it. And maybe from then on, that user will go on like this and his next password would be
Moon3dogs,howling!!!
... :|
All good points, and this is possible, have a look at hashcat's combinator attack: https://hashcat.net/wiki/doku.php?id=combinator_attack
https://hashcat.net/events/p14/I%20have%20the%20%23cat%20i%20make%20the%20rules_YC.pdf
Straight-up dictionary words are not helping, but the length of all of them is, and leet'ing them doesn't add much either (e=3 and so on).. but like I lay out in my articles, using words that are broken or out of place makes this harder: kant-dew-that-2-mi
But based on length alone, Moon2dogs,howling!!! is actually an excellent password. Having a big list of words, doesn't give them context, so moon, dogs and howling would have to simply "come up" in the attempt, and would not necessarily be quick to find, there are no weighting that I'm aware of to words that may occur close to one another. A computer doesn't know that moon, dogs and howling are associated with one another. There will be soon, but as of now, I don't know of such work being done by the hacking community.
-rich
https://hashcat.net/events/p14/I%20have%20the%20%23cat%20i%20make%20the%20rules_YC.pdf
Straight-up dictionary words are not helping, but the length of all of them is, and leet'ing them doesn't add much either (e=3 and so on).. but like I lay out in my articles, using words that are broken or out of place makes this harder: kant-dew-that-2-mi
But based on length alone, Moon2dogs,howling!!! is actually an excellent password. Having a big list of words, doesn't give them context, so moon, dogs and howling would have to simply "come up" in the attempt, and would not necessarily be quick to find, there are no weighting that I'm aware of to words that may occur close to one another. A computer doesn't know that moon, dogs and howling are associated with one another. There will be soon, but as of now, I don't know of such work being done by the hacking community.
-rich
ASKER
awesomee guys
Look at anixis' Password policy enforcer: http://anixis.com/products/ppe/
It can do all that and more. it is easy to administer and reasonably priced in my opinion.