Re: Benefits and drawbacks of password complexity

From: Marlon Brown (marlon_brown@hotmail.com)
Date: 02/10/03


From: "Marlon Brown" <marlon_brown@hotmail.com>
Date: Mon, 10 Feb 2003 07:25:00 -0800


I mentioned passfilt.dll because if I want to enforce an alphanumeric
password I would need to do that.
In Win2K you have option to select the length of characters and that's all.
I mean, if you select 6 characters, as you mentioned "123456" or "aaaaaa"
would be acceptable, and that's is a bad thing. If password complexity is
too much, at least something like "a123456" or "1aaaaaa" would be stronger,
I think.

"Russ" <rwsinclair@mcpmail.com> wrote in message
news:06ce01c2d114$c8d134a0$d5f82ecf@TK2MSFTNGXA12...
> Realized after posting that if this is W2K, there is no
> passfilt, it's just a check box to accomplish the same
> thing.
>
> >-----Original Message-----
> >I'm not sure why you think you need your own passfilt.
> >
> >Without passfilt, you can do all the things you listed,
> >although 6 characters could be anything (including, as I
> >found out in my environment, 123456 or aaaaaa). Passfilt
> >forces 3 of 4 of upper case, lower case, number, special
> >character, which makes Password1 valid.
> >
> >It's a fine line between a strong password that the user
> >can remember, and one that will be written down, but with
> >no complexity requirement at all, you're pretty much wide
> >open. I kind of like the sentence approach suggested by
> >Peter.
> >
> >>-----Original Message-----
> >>My company has +3,000 users. I need to enable password
> >>policies there. Management wants just 6 characters
> >>alphanum passwords (and then I have to create my own
> >>passfilt.dll). I would enforce lockout (3 times),
> >>password history=11, too.
> >>
> >>I thought a 6 characters "password complexity" would be
> >>stronger. But they came up with the following argument:
> >>
> >>"If you have this password complexity and forcing users
> >>to change it every 6 months, people will have a tendency
> >>to write the passwords in a piece of paper, because it
> is
> >>hard to remember and come up with new difficult
> passwords
> >>such as PaSsword10$". What do you think ?
> >>
> >>
> >>.
> >>
> >.
> >



Relevant Pages

  • Re: Why all the max length constraints?
    ... more than 2 characters for a state code, for example, more likely ... is garantueed to not violate this specific constraint. ... and the facilities to enforce the specified constraints. ...
    (comp.databases.theory)
  • Enforce stronger password policy for administrator
    ... characters, password complexity not enabled. ... character passwords and change passwords every 90 days. ... enforced at domain level, and I can't enforce stronger ones at this point). ...
    (microsoft.public.security)
  • Benefits and drawbacks of password complexity
    ... I'm not sure why you think you need your own passfilt. ... I need to enable password ... Management wants just 6 characters ... >I thought a 6 characters "password complexity" would be ...
    (microsoft.public.win2000.security)
  • Re: Complex password with special character
    ... Passwords must meet complexity requirements determines whether password complexity is enforced. ... The password is at least six characters long. ... When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs, and tabs. ... Is is possible to enforce the password complexity with special ...
    (microsoft.public.win2000.security)
  • Re: Benefits and drawbacks of password complexity
    ... If I enable 6 characters (and I do not enable password complexity) they ... > requirements," which accomplishes the same thing as ... >>> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)