Focus on Microsoft
AD Password complexity - passwords too long? May 19 2009 04:32PM
dgonzalez itpro gmail com (6 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:40AM
Torsten Pihl (thorgolucky gmail com) (1 replies)
RE: AD Password complexity - passwords too long? May 20 2009 06:43PM
Jason Hurst (Jason Hurst PandaRG com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 10:20PM
Anthony Petito (anthonypetito gmail com)
Since we haven't seen an update from the OP since yesterday, I can
only assume the issue is more than likely solved. That said, I don't
think it was stated how he was changing his password. Is he going
through the ADUC snap-in or changing it from a client machine? If I
remember correctly, when an Administrator changes a password through
ADUC it bypasses the password history check *but* still adds that
password to the history list for that user. Therefore, if an
Administrator can set a password longer than 10 characters from ADUC
one could only assume that the password you're resetting to probably
does not meet the other complexity requirements that Group Policy is
set to require.

Out of curiosity, I wonder if OP might have been using any NIST/NSA
security checklists or guides to secure the environment. If so, the
password requirements (from enpasflt.dll) could be set stronger than
what the MSFT documentation spells out.

Anthony Petito

On Wed, May 20, 2009 at 1:43 PM, Jason Hurst <Jason.Hurst (at) pandarg (dot) com [email concealed]> wrote:
> While there has been great information in this thread about password
> management, it doesn't really seem to be answering the original
> question, which is why is there an error being generated for passwords
> of more than 10 characters.
>
> Dgonzalez, the first thing I would suggest is to try a completely
> randomly generated password of 12 characters, to insure that you are not
> reusing a previous password that my be disallowed due to password
> history requirements. I'm not sure if I saw this suggestion as a test in
> a previous email.
>
> Additional, it is possible for a non-default password filter to be added
> to a system for password management.
>
> Check the following registry key for non-default filters:
> HKLM\System\CurrentControlSet\Control\LSA\Notification Packages
>
> A changed password filter would be standard in a federal system, and is
> covered by the DISA STIG for Windows systems.
>
> Hopefully this helps.
>
>
> Jason Hurst
> Sr. Network Security Administrator
> Panda Restaurant Group
> jason.hurst (at) pandarg (dot) com [email concealed]
> Please consider the environment before printing this email
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Torsten Pihl
> Sent: Tuesday, May 19, 2009 7:41 PM
> To: dgonzalez.itpro (at) gmail (dot) com [email concealed]
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: AD Password complexity - passwords too long?
>
> Hi, I'm just mentioning this in passing, assuming you already found
> the answer in the Group Policy thingy.  Pass phrase length is far more
> superior than complexity.  Password complexity encourages folks to
> write their passwords down.  Suboptimal.  Pass phrases are easy to
> remember and resistant to password crackers.
>
> Ja,
> Torsten
>
>
> On Tue, May 19, 2009 at 09:32,  <dgonzalez.itpro (at) gmail (dot) com [email concealed]> wrote:
>> Hello list,
>>
>> We have password complexities set on our domain; minimum password
> length is 8 and all XP users and Windows 2003 servers.
>>
>> I can set my password to 9-10 characters, but if I try to set it for
> 10+ characters, they get the error message that they do not meet the
> complexity requirements.
>>
>> I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
>>
>> Does anyone know if there is a max password length?
>>
>> We would like to keep the minimum 8 characters, and the maximum varied
> at the users discretion. Can this be done?
>>
>>
>> Thanks
>>
>

[ reply ]
Re: AD Password complexity - passwords too long? May 20 2009 12:30AM
ews (ews tellurian net) (2 replies)
RE: AD Password complexity - passwords too long? May 22 2009 09:08PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
Re: AD Password complexity - passwords too long? May 20 2009 07:58PM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: AD Password complexity - passwords too long? May 19 2009 06:11PM
Cruz, Dariel (dcruz gableseng com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:32AM
Anthony Petito (anthonypetito gmail com)
RE: AD Password complexity - passwords too long? May 19 2009 05:50PM
Brian K. Dore (bkd louisiana edu) (3 replies)
Re: AD Password complexity - passwords too long? May 19 2009 06:30PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:26PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:06PM
DG Gmail (dgonzalez itpro gmail com) (2 replies)
RE: AD Password complexity - passwords too long? May 22 2009 09:05PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
RE: AD Password complexity - passwords too long? May 20 2009 04:09PM
Lee Clemens (security leeclemens net)
RE: AD Password complexity - passwords too long? May 19 2009 05:19PM
Lucas, Mark J (mjlucas caltech edu)
RE: AD Password complexity - passwords too long? May 19 2009 05:17PM
Dave Doeppel (doeppel idealab com)


 

Privacy Statement
Copyright 2010, SecurityFocus