Re: Password Complexity

The complexity rules are sometime state with some simplification.
If you want to get a better handle, read into the newer releases of
the security/risks-countermeasures guides being release recently
and through remainder of the year. There are more rules than just
3 or the 4 character sets. I suspect that the same applies for the
logic employed for aging/reuse.

You are dealing with fact the changing passwords to things that are
trivial variations is not a strong/safe way to have a password changed.

In your example of passWord2 with 9 characters there are only
there are only about 512 variations in which these char are in
the same order but each (including the 2) are either upper cased
or not. If one knew the old then finding the new would be trivial
if such was allowed as a valid change.

"xmis1" <xmis1@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> Hi Pawel,
> I just edited a Group Policy to Do not store LAN Manager hash value on
> next
> password change. The issue is still the same.
> "Pawel Golen" wrote:
>> xmis1 wrote:
>> > From reading the several articles on password policy. I was under the
>> > assumption that they are not the same. Why does microsoft recommend
>> > using
>> > Upper and lower case then? Is it just to prevent password crackers?
>> It is THE SAME password if you look at the LM password hash. It is
>> calculated in following way:
>> - Take 14 characters (if password is shorter - pad with null)
>> - Uppercase
>> - Split it two parts, 7 characters each
>> - Calculate encryption key
>> - Encrypt known value
>> As you can see password are not case sensitive if stored as LM hash. If
>> you enabled password history your new password matches the old one (look
>> at step 2 - uppercase).
>> For NTLM password hash:
>> - Take up to 127 characters (or 128 - please fix me)
>> - Convert to unicode
>> - Calculate MD4
>> Password is case sensitive. You should disable creating of LM password
>> hashes.
>> --
>> Pawel Golen
>> mailto:p_golen@xxxxxxxxxx
>> "Wszyscy przeciez wiemy, ze nikt nie dostaje zadnych spamów" - mój trol