Re: Benefits and drawbacks of password complexity

From: Russ (rwsinclair@mcpmail.com)
Date: 02/10/03


From: "Russ" <rwsinclair@mcpmail.com>
Date: Mon, 10 Feb 2003 12:18:05 -0800


In W2K you can enable "Passwords must meet complexity
requirements," which accomplishes the same thing as
passfilt.
As I said, this makes Password1 a good password, so it's a
baby step. There are a lot of 3rd party products that can
be more granular, and use dictionary checks.

>-----Original Message-----
>I mentioned passfilt.dll because if I want to enforce an
alphanumeric
>password I would need to do that.
>In Win2K you have option to select the length of
characters and that's all.
>I mean, if you select 6 characters, as you
mentioned "123456" or "aaaaaa"
>would be acceptable, and that's is a bad thing. If
password complexity is
>too much, at least something like "a123456" or "1aaaaaa"
would be stronger,
>I think.
>
>
>
>
>
>"Russ" <rwsinclair@mcpmail.com> wrote in message
>news:06ce01c2d114$c8d134a0$d5f82ecf@TK2MSFTNGXA12...
>> Realized after posting that if this is W2K, there is no
>> passfilt, it's just a check box to accomplish the same
>> thing.
>>
>> >-----Original Message-----
>> >I'm not sure why you think you need your own passfilt.
>> >
>> >Without passfilt, you can do all the things you listed,
>> >although 6 characters could be anything (including, as
I
>> >found out in my environment, 123456 or aaaaaa).
Passfilt
>> >forces 3 of 4 of upper case, lower case, number,
special
>> >character, which makes Password1 valid.
>> >
>> >It's a fine line between a strong password that the
user
>> >can remember, and one that will be written down, but
with
>> >no complexity requirement at all, you're pretty much
wide
>> >open. I kind of like the sentence approach suggested
by
>> >Peter.
>> >
>> >>-----Original Message-----
>> >>My company has +3,000 users. I need to enable password
>> >>policies there. Management wants just 6 characters
>> >>alphanum passwords (and then I have to create my own
>> >>passfilt.dll). I would enforce lockout (3 times),
>> >>password history=11, too.
>> >>
>> >>I thought a 6 characters "password complexity" would
be
>> >>stronger. But they came up with the following
argument:
>> >>
>> >>"If you have this password complexity and forcing
users
>> >>to change it every 6 months, people will have a
tendency
>> >>to write the passwords in a piece of paper, because it
>> is
>> >>hard to remember and come up with new difficult
>> passwords
>> >>such as PaSsword10$". What do you think ?
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>



Relevant Pages

  • Re: Benefits and drawbacks of password complexity
    ... If I enable 6 characters (and I do not enable password complexity) they ... > requirements," which accomplishes the same thing as ... >>> passfilt, it's just a check box to accomplish the same ...
    (microsoft.public.win2000.security)
  • Re: Benefits and drawbacks of password complexity
    ... I mentioned passfilt.dll because if I want to enforce an alphanumeric ... In Win2K you have option to select the length of characters and that's all. ... >>I'm not sure why you think you need your own passfilt. ... >>>alphanum passwords (and then I have to create my own ...
    (microsoft.public.win2000.security)
  • Benefits and drawbacks of password complexity
    ... I'm not sure why you think you need your own passfilt. ... I need to enable password ... Management wants just 6 characters ... >I thought a 6 characters "password complexity" would be ...
    (microsoft.public.win2000.security)
  • Benefits and drawbacks of password complexity
    ... it's just a check box to accomplish the same ... >I'm not sure why you think you need your own passfilt. ... >no complexity requirement at all, ... Management wants just 6 characters ...
    (microsoft.public.win2000.security)