Focus on Microsoft
AD Password complexity - passwords too long? May 19 2009 04:32PM
dgonzalez itpro gmail com (6 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:40AM
Torsten Pihl (thorgolucky gmail com) (1 replies)
RE: AD Password complexity - passwords too long? May 20 2009 06:43PM
Jason Hurst (Jason Hurst PandaRG com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 10:20PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 20 2009 12:30AM
ews (ews tellurian net) (2 replies)
The difference between 7 and 8 is computationally negligible these
days. 8 characters creates two halves of a LanMan hash (which is still
created by default, both on servers and workstations). Enforcing an
eight character complex password means users will typically put the
special character (*&^%$) as the last character. (and many users will
only create the minimal length password) That leaves the first seven
characters as alpha-numeric - which can be cracked with a small
character set in a password cracker. The eighth character is then the
special character, which is the first character in the second LanMan
hash - so it will crack instantly in password cracker. You've then
compromised a complex password of 8 characters in a matter of minutes.

If the password minimum length is seven, most users will make theirs
seven, which means the special character is within the first 7 (probably
last, but that doesn't matter) which means in order to crack the lanman
hash, you'd need to run the cracker with the entire character set (not
just alphanumeric) over the entire 7 character range - which will take a
long time. Using this analogy, a seven character complex password will
usually be tougher to crack than an 8-12 character complex password.

If you insist upon using 8, then make sure to set the reg key on all
desktops, servers, and domain controllers to not create the LanMan
hash. Then, run some of the freeware tools available to delete all
existing LanMan hashes from the password history (as they can be used to
help guess what the current password is).

Better yet, enforce a minimum of 15 characters. You should still run a
tool to delete all the old password hashes just to be safe. With a 15
character password, it won't save the LM hash, so it will be much
tougher to crack.

I've done an experiment in the classroom on password length (before
Steve Riley wrote an article on this - no offense Steve!). I ask each
person on one side of the classroom to pick a password. They think up a
password - one they would typically use at work. Don't say it, just
think of it. Then I ask people on the other side of the classroom to
think of a passphrase. Don't say it out loud- just think of it. I ask
the first side of the room (password) to count the length of the
password they thought of - and I ask the others (passphrase) to count
the length of their passphrase. The first side of the room is usually
sitting between 7 and 13 characters long. The second side of the
classroom is anywhere from 20 to 60 characters long (rarely shorter than
15).

Asking users to think of passwords as 'passphrases' is a really good way
to encourage long password length. It's usually easier for a user to
remember their passphrase, and it's easy for them to change it next
month (they can simply change a word or value in their phrase.) A good
passphrase usually includes one or more spaces in the phrase - that
helps with the special character (how many people put spaces in their
passwords? not many...)

Therefore, if you want to go with a minimum less than 15, use 7, else do
15+ and educate folks about the coolness of the passphrase. Just don't
use 8. (see my article here - why 7 is better than 8:
http://www.securityfocus.com/infocus/1319

dgonzalez.itpro (at) gmail (dot) com [email concealed] wrote:
> Hello list,
>
>
>
> We have password complexities set on our domain; minimum password length is 8 and all XP users and Windows 2003 servers.
>
>
>
> I can set my password to 9-10 characters, but if I try to set it for 10+ characters, they get the error message that they do not meet the complexity requirements.
>
>
>
> I have searched Microsoft documentation, and find minimum length requirements. I think I saw something about 28 characters, and even 127 characters.
>
>
>
> Does anyone know if there is a max password length?
>
>
>
> We would like to keep the minimum 8 characters, and the maximum varied at the users discretion. Can this be done?
>
>
>
>
>
> Thanks
>
>
>

[ reply ]
RE: AD Password complexity - passwords too long? May 22 2009 09:08PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
Re: AD Password complexity - passwords too long? May 20 2009 07:58PM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: AD Password complexity - passwords too long? May 19 2009 06:11PM
Cruz, Dariel (dcruz gableseng com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:32AM
Anthony Petito (anthonypetito gmail com)
RE: AD Password complexity - passwords too long? May 19 2009 05:50PM
Brian K. Dore (bkd louisiana edu) (3 replies)
Re: AD Password complexity - passwords too long? May 19 2009 06:30PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:26PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:06PM
DG Gmail (dgonzalez itpro gmail com) (2 replies)
RE: AD Password complexity - passwords too long? May 22 2009 09:05PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
RE: AD Password complexity - passwords too long? May 20 2009 04:09PM
Lee Clemens (security leeclemens net)
RE: AD Password complexity - passwords too long? May 19 2009 05:19PM
Lucas, Mark J (mjlucas caltech edu)
RE: AD Password complexity - passwords too long? May 19 2009 05:17PM
Dave Doeppel (doeppel idealab com)


 

Privacy Statement
Copyright 2010, SecurityFocus