Re: Benefits and drawbacks of password complexity

From: Marlon Brown (marlon_brown@hotmail.com)
Date: 02/10/03


From: "Marlon Brown" <marlon_brown@hotmail.com>
Date: Mon, 10 Feb 2003 07:25:00 -0800


I mentioned passfilt.dll because if I want to enforce an alphanumeric
password I would need to do that.
In Win2K you have option to select the length of characters and that's all.
I mean, if you select 6 characters, as you mentioned "123456" or "aaaaaa"
would be acceptable, and that's is a bad thing. If password complexity is
too much, at least something like "a123456" or "1aaaaaa" would be stronger,
I think.

"Russ" <rwsinclair@mcpmail.com> wrote in message
news:06ce01c2d114$c8d134a0$d5f82ecf@TK2MSFTNGXA12...
> Realized after posting that if this is W2K, there is no
> passfilt, it's just a check box to accomplish the same
> thing.
>
> >-----Original Message-----
> >I'm not sure why you think you need your own passfilt.
> >
> >Without passfilt, you can do all the things you listed,
> >although 6 characters could be anything (including, as I
> >found out in my environment, 123456 or aaaaaa). Passfilt
> >forces 3 of 4 of upper case, lower case, number, special
> >character, which makes Password1 valid.
> >
> >It's a fine line between a strong password that the user
> >can remember, and one that will be written down, but with
> >no complexity requirement at all, you're pretty much wide
> >open. I kind of like the sentence approach suggested by
> >Peter.
> >
> >>-----Original Message-----
> >>My company has +3,000 users. I need to enable password
> >>policies there. Management wants just 6 characters
> >>alphanum passwords (and then I have to create my own
> >>passfilt.dll). I would enforce lockout (3 times),
> >>password history=11, too.
> >>
> >>I thought a 6 characters "password complexity" would be
> >>stronger. But they came up with the following argument:
> >>
> >>"If you have this password complexity and forcing users
> >>to change it every 6 months, people will have a tendency
> >>to write the passwords in a piece of paper, because it
> is
> >>hard to remember and come up with new difficult
> passwords
> >>such as PaSsword10$". What do you think ?
> >>
> >>
> >>.
> >>
> >.
> >