Re: AD Password complexity - passwords too long?
- From: Anthony Petito <anthonypetito@xxxxxxxxx>
- Date: Wed, 20 May 2009 17:20:19 -0500
Since we haven't seen an update from the OP since yesterday, I can
only assume the issue is more than likely solved. That said, I don't
think it was stated how he was changing his password. Is he going
through the ADUC snap-in or changing it from a client machine? If I
remember correctly, when an Administrator changes a password through
ADUC it bypasses the password history check *but* still adds that
password to the history list for that user. Therefore, if an
Administrator can set a password longer than 10 characters from ADUC
one could only assume that the password you're resetting to probably
does not meet the other complexity requirements that Group Policy is
set to require.
Out of curiosity, I wonder if OP might have been using any NIST/NSA
security checklists or guides to secure the environment. If so, the
password requirements (from enpasflt.dll) could be set stronger than
what the MSFT documentation spells out.
On Wed, May 20, 2009 at 1:43 PM, Jason Hurst <Jason.Hurst@xxxxxxxxxxx> wrote:
While there has been great information in this thread about password
management, it doesn't really seem to be answering the original
question, which is why is there an error being generated for passwords
of more than 10 characters.
Dgonzalez, the first thing I would suggest is to try a completely
randomly generated password of 12 characters, to insure that you are not
reusing a previous password that my be disallowed due to password
history requirements. I'm not sure if I saw this suggestion as a test in
a previous email.
Additional, it is possible for a non-default password filter to be added
to a system for password management.
Check the following registry key for non-default filters:
A changed password filter would be standard in a federal system, and is
covered by the DISA STIG for Windows systems.
Hopefully this helps.
Sr. Network Security Administrator
Panda Restaurant Group
Please consider the environment before printing this email
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Torsten Pihl
Sent: Tuesday, May 19, 2009 7:41 PM
Subject: Re: AD Password complexity - passwords too long?
Hi, I'm just mentioning this in passing, assuming you already found
the answer in the Group Policy thingy. Pass phrase length is far more
superior than complexity. Password complexity encourages folks to
write their passwords down. Suboptimal. Pass phrases are easy to
remember and resistant to password crackers.
On Tue, May 19, 2009 at 09:32, <dgonzalez.itpro@xxxxxxxxx> wrote:
Hello list,length is 8 and all XP users and Windows 2003 servers.
We have password complexities set on our domain; minimum password
10+ characters, they get the error message that they do not meet the
I can set my password to 9-10 characters, but if I try to set it for
requirements. I think I saw something about 28 characters, and even 127
I have searched Microsoft documentation, and find minimum length
at the users discretion. Can this be done?
Does anyone know if there is a max password length?
We would like to keep the minimum 8 characters, and the maximum varied