Re: Benefits and drawbacks of password complexity

From: Russ (
Date: 02/10/03

From: "Russ" <>
Date: Mon, 10 Feb 2003 12:18:05 -0800

In W2K you can enable "Passwords must meet complexity
requirements," which accomplishes the same thing as
As I said, this makes Password1 a good password, so it's a
baby step. There are a lot of 3rd party products that can
be more granular, and use dictionary checks.

>-----Original Message-----
>I mentioned passfilt.dll because if I want to enforce an
>password I would need to do that.
>In Win2K you have option to select the length of
characters and that's all.
>I mean, if you select 6 characters, as you
mentioned "123456" or "aaaaaa"
>would be acceptable, and that's is a bad thing. If
password complexity is
>too much, at least something like "a123456" or "1aaaaaa"
would be stronger,
>I think.
>"Russ" <> wrote in message
>> Realized after posting that if this is W2K, there is no
>> passfilt, it's just a check box to accomplish the same
>> thing.
>> >-----Original Message-----
>> >I'm not sure why you think you need your own passfilt.
>> >
>> >Without passfilt, you can do all the things you listed,
>> >although 6 characters could be anything (including, as
>> >found out in my environment, 123456 or aaaaaa).
>> >forces 3 of 4 of upper case, lower case, number,
>> >character, which makes Password1 valid.
>> >
>> >It's a fine line between a strong password that the
>> >can remember, and one that will be written down, but
>> >no complexity requirement at all, you're pretty much
>> >open. I kind of like the sentence approach suggested
>> >Peter.
>> >
>> >>-----Original Message-----
>> >>My company has +3,000 users. I need to enable password
>> >>policies there. Management wants just 6 characters
>> >>alphanum passwords (and then I have to create my own
>> >>passfilt.dll). I would enforce lockout (3 times),
>> >>password history=11, too.
>> >>
>> >>I thought a 6 characters "password complexity" would
>> >>stronger. But they came up with the following
>> >>
>> >>"If you have this password complexity and forcing
>> >>to change it every 6 months, people will have a
>> >>to write the passwords in a piece of paper, because it
>> is
>> >>hard to remember and come up with new difficult
>> passwords
>> >>such as PaSsword10$". What do you think ?
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >