RE: Password complexity - improvement

Don't confuse password strength with the number of passwords available.
Ansgar is correct with the math permutations. Any limitation reduces
your population set to fewer possible passwords, weak or not.

~Dave

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jackson, Eric R IT3 (CVN75 CS-3)
Sent: Wednesday, August 15, 2007 4:46 PM
To: Ansgar -59cobalt- Wiechers
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Password complexity - improvement

Ansgar,

You're absolutely wrong in your statement here. Enforcing passwords
that MUST consist of uppercase letters, lowercase letter, numbers AND
special characters INCREASES the total number of possible passwords;
which in turn has a positive impact on your security.

It is much harder to break a password of AaBb1! than aabb1! The more
options there are that are enforced, the more complex the passwords.
The determining factor in this case would be how long or short the
password lengths are.

R/
Jackson

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, August 15, 2007 2:39 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Password complexity - improvement

On 2007-08-15 dubaisans dubai wrote:
Is there a way to improve the password complexity requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties - Uppercase,
smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters, lowercase
letters, numbers AND special characters reduces the total number of
possible passwords, which in consequence has a negative impact on your
security.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


--------------------------------------------------------------------
"*** NOTICE *** The information in this communication and any
attachment may contain confidential and proprietary information of
Security Connections, Inc. and/or its affiliates and may be
privileged or otherwise protected from disclosure. If you are not the
intended recipient, you are hereby notified that any review,
reliance, duplication or distribution without express permission is
strictly prohibited and may cause liability. If you have received this
communication in error, please notify the sender immediately by
reply email and delete or destroy all copies of this communication
and any attachments. Any views expressed in this communication
are those of the individual sender, except where authorized and
explicitly stated otherwise."

Relevant Pages

  • RE: Password complexity - improvement
    ... special characters INCREASES the total number of possible passwords; ... Enforcing passwords that MUST consist of uppercase letters, ...
    (Focus-Microsoft)
  • Re: Force Strong Passwords for a single Group
    ... for the local machine for computers in that OU. ... it can not be done natively for a particular domain security group. ... would anyone know a way of enforcing strong passwords for a single ...
    (microsoft.public.win2000.security)
  • RE: Password Cracking
    ... append the last characters of the server. ... Of course are these my passwords? ... > biggest problem is to first explain how to create a complex password and the ... >> Even enforcing complex passwords does not guarantee that passwords be ...
    (Security-Basics)
  • Re: Enforcing strong passwords
    ... >]> I'm charged with the a task of enforcing strong passwords on OSF V4.0. ... >]> How could I accomplish the following requirements ... > characters) while most modern systems use something like the BSD MD5 ...
    (comp.security.unix)
  • RE: Password Cracking
    ... Even enforcing complex passwords does not guarantee that passwords be ... Subject: Password Cracking ...
    (Security-Basics)