Re: Benefits and drawbacks of password complexity
From: ANIXIS (feedback@anixis_dotcom.com)
Date: 02/11/03
- Next message: Karl Levinson [x y] mvp: "Re: File Integrety Checker"
- Previous message: Marlon Brown: "Re: Benefits and drawbacks of password complexity"
- In reply to: Marlon Brown: "Benefits and drawbacks of password complexity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "ANIXIS" <feedback@anixis_dotcom.com> Date: Tue, 11 Feb 2003 11:28:50 +1100
The first (and possibly only) attack against your passwords will be a
dictionary crack. If you don't protect passwords against dictionary cracks,
then there is little to be gained by enforcing password complexity rules.
Password complexity rules may help to protect against a dictionary crack,
but as others have already demonstrated, some "complex" passwords are based
on common dictionary words. What you should do (in addition to what you are
already doing) is to check the passwords against a dictionary file. You can
also protect passwords against hybrid attacks by rejecting passwords that
are similar to, but not exactly the same as a dictionary word. For example
Password1, 1Passw0rd!, Pass*word etc.
Your management's concerns are valid - users will resort to writing down
passwords if you make it too difficult for them to remember their password.
Some basic user education can work well as long as your password policy is
reasonable. You may also want to enforce a stronger password policy for
Administrator accounts. Administrators are more likely to accept a complex
password policy because they are aware of the issues involved.
Our company develops a configurable password filter for Windows NT and
Windows 2000 called Password Policy Enforcer. You can download a
time-limited copy of PPE from www.anixis.com
"Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
news:039001c2d0d2$b4d0fd60$d6f82ecf@TK2MSFTNGXA13...
> My company has +3,000 users. I need to enable password
> policies there. Management wants just 6 characters
> alphanum passwords (and then I have to create my own
> passfilt.dll). I would enforce lockout (3 times),
> password history=11, too.
>
> I thought a 6 characters "password complexity" would be
> stronger. But they came up with the following argument:
>
> "If you have this password complexity and forcing users
> to change it every 6 months, people will have a tendency
> to write the passwords in a piece of paper, because it is
> hard to remember and come up with new difficult passwords
> such as PaSsword10$". What do you think ?
>
>
- Next message: Karl Levinson [x y] mvp: "Re: File Integrety Checker"
- Previous message: Marlon Brown: "Re: Benefits and drawbacks of password complexity"
- In reply to: Marlon Brown: "Benefits and drawbacks of password complexity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
