RE: BlackList Passwords

From: IBTerry [MSFT] (ibterry_at_online.microsoft.com)
Date: 11/17/03 

Date: Mon, 17 Nov 2003 15:32:53 GMT

Hello Greg,

There is nothing built into the OS that will allow you to ban certain
passwords, unless you write your own passfilt.dll.
You can enable "Passwords Must Meet Complexity Requirements" which should
catch most problem passwords.
The following information is from the "Microsoft Solution for Securing
Windows 2000 Server" paper.

Passwords Must Meet Complexity Requirements
Vulnerability
Passwords that contain only alphanumeric characters are extremely easy to
crack using several publicly available utilities. To prevent this,
passwords should contain additional characters and requirements.

The Passwords Must Meet Complexity Requirements setting determines whether
passwords must meet a series of guidelines that are considered important
for a strong password.

If this policy setting is enabled, then passwords must meet the following
requirements:

The password does not contain all or part of the user's account name.
The password Is at least six characters long.
The password contains characters from three of the following four
categories:
English upper case characters (A - Z).
English lower case characters (a - z).
Base 10 digits (0 - 9).
Nonalphanumeric (For example, !, $, #, or %).
These complexity requirements are enforced upon password change or creation
of new passwords.

The rules that are included in the Windows 2000 Server policy cannot be
directly modified. However, a new version of passfilt.dll can be created to
apply a different set of rules. The source code for passfilt.dll can be
found in the Microsoft Knowledge Base article 151082: "HOW TO: Password
Change Filtering & Notification in Windows NT."
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/secwin2k/05secdom.asp

Hope this helps,

ibterry@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I've seen passwords with zeros for O's and 3's for E's. ... What hacker ever think of that? ...
    (comp.os.vms)