Benefits and drawbacks of password complexity

From: Russ (rwsinclair@mcpmail.com)
Date: 02/10/03


From: "Russ" <rwsinclair@mcpmail.com>
Date: Mon, 10 Feb 2003 06:54:39 -0800


I'm not sure why you think you need your own passfilt.

Without passfilt, you can do all the things you listed,
although 6 characters could be anything (including, as I
found out in my environment, 123456 or aaaaaa). Passfilt
forces 3 of 4 of upper case, lower case, number, special
character, which makes Password1 valid.

It's a fine line between a strong password that the user
can remember, and one that will be written down, but with
no complexity requirement at all, you're pretty much wide
open. I kind of like the sentence approach suggested by
Peter.

>-----Original Message-----
>My company has +3,000 users. I need to enable password
>policies there. Management wants just 6 characters
>alphanum passwords (and then I have to create my own
>passfilt.dll). I would enforce lockout (3 times),
>password history=11, too.
>
>I thought a 6 characters "password complexity" would be
>stronger. But they came up with the following argument:
>
>"If you have this password complexity and forcing users
>to change it every 6 months, people will have a tendency
>to write the passwords in a piece of paper, because it is
>hard to remember and come up with new difficult passwords
>such as PaSsword10$". What do you think ?
>
>
>.
>



Relevant Pages

  • Re: Benefits and drawbacks of password complexity
    ... If I enable 6 characters (and I do not enable password complexity) they ... > requirements," which accomplishes the same thing as ... >>> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)
  • Re: Password question
    ... going to enable password complexity very soon. ... setting says that it requires a minumum of 6 characters. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Benefits and drawbacks of password complexity
    ... I mentioned passfilt.dll because if I want to enforce an alphanumeric ... In Win2K you have option to select the length of characters and that's all. ... >>I'm not sure why you think you need your own passfilt. ... >>>alphanum passwords (and then I have to create my own ...
    (microsoft.public.win2000.security)
  • Benefits and drawbacks of password complexity
    ... it's just a check box to accomplish the same ... >I'm not sure why you think you need your own passfilt. ... >no complexity requirement at all, ... Management wants just 6 characters ...
    (microsoft.public.win2000.security)
  • Re: Benefits and drawbacks of password complexity
    ... In W2K you can enable "Passwords must meet complexity ... requirements," which accomplishes the same thing as ... >I mean, if you select 6 characters, as you ... >> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)