Announcement

Collapse
No announcement yet.

2 out of 4 password complexity requirements?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 out of 4 password complexity requirements?

    I have a Windows 2003 Active Directory domain and am trying to increase the password complexity requirements.

    However, it seems as though the password complexity requirements are an all or nothing setting. Either I can choose to have no password complexity enforced or users must use 3 out of the 4 character types which is actually pretty difficult to think up, remember and not write down etc.

    Is there a way that I can enforce password creation of passwords that meet 2 out of 4 of the character types? (ie any 2 out of the 4 of lowercase, uppercase, numbers and symbols)

  • #2
    Re: 2 out of 4 password complexity requirements?

    Nope. 3 is the minimum.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: 2 out of 4 password complexity requirements?

      Originally posted by humbletech99 View Post
      Either I can choose to have no password complexity enforced or users must use 3 out of the 4 character types which is actually pretty difficult to think up, remember and not write down etc.
      Sorry, I disagree with you on this. Stop thinking password and think instead passphrase.

      Ilike$ailin9.
      H0tchick$
      [email protected]!
      [email protected]
      [email protected] of the Free!
      %payIncrease4IncreasedProductivity

      Try thinking outside the [email protected]$.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        Re: 2 out of 4 password complexity requirements?

        yes yes of course, but this is not going to fly at work. You are like me, a techie, but try explaining this to business people that they have to type this in 20 times a day with screen locking and they will say screw the whole thing...

        Comment


        • #5
          Re: 2 out of 4 password complexity requirements?

          Not knowing the size and structure of the company you work for limits what I can suggest. If you have a large organisation and you have a manager then get them to create and enforce a password policy. If you are just you, keep the passwords short but meeting the standard. Each time the user says they can't remember their password, create a new one but add a couple of extra characters. By the time it gets to 20 characters they willl start remembering it. Also if it is just you, get support from the main boss. Explain to them the importance of security and the need for secure passwords and don't just tell him, make up a written report and present it to him along with the explanation. This does 2 things:
          1. makes them aware of the need for password security
          2. covers you arse when the do get penetrated due to lax passwords

          There are 2 types of networks. Those that have been hacked and those that are going to be hacked.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: 2 out of 4 password complexity requirements?

            Originally posted by biggles77 View Post
            Sorry, I disagree with you on this. Stop thinking password and think instead passphrase.

            Ilike$ailin9.
            H0tchick$
            [email protected]!
            [email protected]
            [email protected] of the Free!
            %payIncrease4IncreasedProductivity

            Try thinking outside the [email protected]$.
            I bet I know your password - Sh33pRfun!!!
            Michael Armstrong
            www.m80arm.co.uk
            MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            Comment


            • #7
              Re: 2 out of 4 password complexity requirements?

              Originally posted by humbletech99 View Post
              yes yes of course, but this is not going to fly at work. You are like me, a techie, but try explaining this to business people that they have to type this in 20 times a day with screen locking and they will say screw the whole thing...
              If the company have enshrined this in policy then they can grumble as much as they like... they will get used to it! It takes about 3 months before everyone finally "gets" it... and when they're given no choice they learn to live with it.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: 2 out of 4 password complexity requirements?

                Originally posted by m80arm View Post
                I bet I know your password - Sh33pRfun!!!
                (Now how do I apply a negative Rep Point?) Don't joke about my (female) friends like that or I will get hurt feelings.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: 2 out of 4 password complexity requirements?

                  Hi,

                  Complex password settings are stored in passfilt.dll. If you want to change default settings of complex password then you can create a customized passfilt.dll.

                  Go to the below link, I t might help you:

                  http://msdn2.microsoft.com/en-us/library/ms722439.aspx

                  Regards,
                  Kapil Sharma
                  ~~~~~~~~~~~~~
                  Life is too short, Enjoy It.

                  Comment


                  • #10
                    Re: 2 out of 4 password complexity requirements?

                    yes I looked at this briefly last night but it seems like I'd have to write some code to do this and I'm not a windows dev. Even if I wrote a passfilt.dll replacement I wouldn't bet my Active Directory on it.

                    Comment


                    • #11
                      Re: 2 out of 4 password complexity requirements?

                      Even if you did that, you would be letting the tail wag the dog. As others have said, think passphrase.

                      I suggest you simply say to your users: think of a brief phrase with a number in it, include the usual spaces, and add a fullstop or some other punctuation at the end. With a capital at the beginning, it's very very easy to remember. e.g.
                      • Mad max 3.
                      • Born on 4th July.
                      • Hard @ work 4 ever!


                      Easy to type, easy to remember. Not as secure as they could be, I admit, because they contain real words, but fairly reasonable for your difficult situation.
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: 2 out of 4 password complexity requirements?

                        One I use for the more feeble brained teachers, err I mean users that I work with is to use a location where a friend lives and combine it with the last 4 digits of their friends phone number (or zip code/postcode). They have a fair chance of remembering it and they can look it up if they forget it therefore no need to write it down. Once they have gotten used to that then you can move onto the more complex passwords.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Re: 2 out of 4 password complexity requirements?

                          I have to turn off complex passwords on my networks too as users are hopeless and end up writing their passwords down and putting them on sticky notes on their monitors. Somewhat less secure.

                          I found an ADM file last time when I Googled this topic that allows you to specify in the GPO which requirements you want. EG Capital letter, symbol alpha numeric etc. I would paste a link but I can't seem to find it now.
                          Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

                          Comment


                          • #14
                            Re: 2 out of 4 password complexity requirements?

                            Hmm, that would be very interesting as adm is much simpler than writing C to replace passfilt which seems kind of dangerous.

                            I'll have a google for it and let you know if I find it.

                            Comment


                            • #15
                              Re: 2 out of 4 password complexity requirements?

                              Originally posted by ]SK[ View Post
                              I have to turn off complex passwords on my networks too as users are hopeless and end up writing their passwords down and putting them on sticky notes on their monitors. Somewhat less secure.

                              I found an ADM file last time when I Googled this topic that allows you to specify in the GPO which requirements you want. EG Capital letter, symbol alpha numeric etc. I would paste a link but I can't seem to find it now.
                              In a policy driven environment (i.e. a strongly written IS Policy backed by The Board) this would be a security offence which merits immediate dismissal. It's not just "his" password, it grants access to a corporate email system, network and data.

                              Honestly!! Anyone would think that IS Policy is driven by the Users, not the other way around!!!


                              Tom
                              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                              Anything you say will be misquoted and used against you

                              Comment

                              Working...
                              X