Benefits and drawbacks of password complexity

From: Russ (rwsinclair@mcpmail.com)
Date: 02/10/03 

From: "Russ" <rwsinclair@mcpmail.com>
Date: Mon, 10 Feb 2003 06:54:39 -0800

I'm not sure why you think you need your own passfilt.

Without passfilt, you can do all the things you listed,
although 6 characters could be anything (including, as I
found out in my environment, 123456 or aaaaaa). Passfilt
forces 3 of 4 of upper case, lower case, number, special
character, which makes Password1 valid.

It's a fine line between a strong password that the user
can remember, and one that will be written down, but with
no complexity requirement at all, you're pretty much wide
open. I kind of like the sentence approach suggested by
Peter.

>-----Original Message-----
>My company has +3,000 users. I need to enable password
>policies there. Management wants just 6 characters
>alphanum passwords (and then I have to create my own
>passfilt.dll). I would enforce lockout (3 times),
>password history=11, too.
>
>I thought a 6 characters "password complexity" would be
>stronger. But they came up with the following argument:
>
>"If you have this password complexity and forcing users
>to change it every 6 months, people will have a tendency
>to write the passwords in a piece of paper, because it is
>hard to remember and come up with new difficult passwords
>such as PaSsword10$". What do you think ?
>
>
>.
>

Relevant Pages

  • Re: Benefits and drawbacks of password complexity
    ... If I enable 6 characters (and I do not enable password complexity) they ... > requirements," which accomplishes the same thing as ... >>> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)
  • Re: Benefits and drawbacks of password complexity
    ... I mentioned passfilt.dll because if I want to enforce an alphanumeric ... In Win2K you have option to select the length of characters and that's all. ... >>I'm not sure why you think you need your own passfilt. ... >>>alphanum passwords (and then I have to create my own ...
    (microsoft.public.win2000.security)
  • Benefits and drawbacks of password complexity
    ... it's just a check box to accomplish the same ... >I'm not sure why you think you need your own passfilt. ... >no complexity requirement at all, ... Management wants just 6 characters ...
    (microsoft.public.win2000.security)
  • Re: Benefits and drawbacks of password complexity
    ... In W2K you can enable "Passwords must meet complexity ... requirements," which accomplishes the same thing as ... >I mean, if you select 6 characters, as you ... >> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)
  • Re: What is the criterion for strong password for SQL Express SA acc
    ... Password complexity policies are designed to deter brute force attacks by ... The password does not contain all or "part" of the user's account ... The password is at least six characters long. ... and then install the SQL Express in command line quietly by the ...
    (microsoft.public.sqlserver.setup)