Focus on Microsoft
AD Password complexity - passwords too long? May 19 2009 04:32PM
dgonzalez itpro gmail com (6 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:40AM
Torsten Pihl (thorgolucky gmail com) (1 replies)
RE: AD Password complexity - passwords too long? May 20 2009 06:43PM
Jason Hurst (Jason Hurst PandaRG com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 10:20PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 20 2009 12:30AM
ews (ews tellurian net) (2 replies)
RE: AD Password complexity - passwords too long? May 22 2009 09:08PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
G'day EWS,

You forgot to mention that you can disable the generation of LMHash values which will remove this weakness. That's pretty much the first thing we do when installing a Windows Server - disable LMHash generation.

--

http://hiltont.blogspot.com/

Regards,

Hilton Travis Phone: +61 (0)7 3105 9101
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark Group http://www.quarkgroup.com.au

Microsoft SBSC PAL (Australia) http://www.sbscpal.com/

War doesn't determine who is right. War determines who is left.

> -----Original Message-----
> On Behalf Of ews
> Sent: Wednesday, 20 May 2009 10:31
>
> The difference between 7 and 8 is computationally negligible these
> days. 8 characters creates two halves of a LanMan hash (which is still
> created by default, both on servers and workstations). Enforcing an
> eight character complex password means users will typically put the
> special character (*&^%$) as the last character. (and many users will
> only create the minimal length password) That leaves the first seven
> characters as alpha-numeric - which can be cracked with a small
> character set in a password cracker. The eighth character is then the
> special character, which is the first character in the second LanMan
> hash - so it will crack instantly in password cracker. You've then
> compromised a complex password of 8 characters in a matter of minutes.
>
> If the password minimum length is seven, most users will make theirs
> seven, which means the special character is within the first 7
> (probably
> last, but that doesn't matter) which means in order to crack the lanman
> hash, you'd need to run the cracker with the entire character set (not
> just alphanumeric) over the entire 7 character range - which will take
> a
> long time. Using this analogy, a seven character complex password will
> usually be tougher to crack than an 8-12 character complex password.
>
> If you insist upon using 8, then make sure to set the reg key on all
> desktops, servers, and domain controllers to not create the LanMan
> hash. Then, run some of the freeware tools available to delete all
> existing LanMan hashes from the password history (as they can be used
> to
> help guess what the current password is).
>
> Better yet, enforce a minimum of 15 characters. You should still run a
> tool to delete all the old password hashes just to be safe. With a 15
> character password, it won't save the LM hash, so it will be much
> tougher to crack.
>
> I've done an experiment in the classroom on password length (before
> Steve Riley wrote an article on this - no offense Steve!). I ask each
> person on one side of the classroom to pick a password. They think up
> a
> password - one they would typically use at work. Don't say it, just
> think of it. Then I ask people on the other side of the classroom to
> think of a passphrase. Don't say it out loud- just think of it. I ask
> the first side of the room (password) to count the length of the
> password they thought of - and I ask the others (passphrase) to count
> the length of their passphrase. The first side of the room is usually
> sitting between 7 and 13 characters long. The second side of the
> classroom is anywhere from 20 to 60 characters long (rarely shorter
> than
> 15).
>
> Asking users to think of passwords as 'passphrases' is a really good
> way
> to encourage long password length. It's usually easier for a user to
> remember their passphrase, and it's easy for them to change it next
> month (they can simply change a word or value in their phrase.) A good
> passphrase usually includes one or more spaces in the phrase - that
> helps with the special character (how many people put spaces in their
> passwords? not many...)
>
> Therefore, if you want to go with a minimum less than 15, use 7, else
> do
> 15+ and educate folks about the coolness of the passphrase. Just don't
> use 8. (see my article here - why 7 is better than 8:
> http://www.securityfocus.com/infocus/1319
>
>
> dgonzalez.itpro (at) gmail (dot) com [email concealed] wrote:
> > Hello list,
> >
> > We have password complexities set on our domain; minimum password
> length is 8 and all XP users and Windows 2003 servers.
> >
> > I can set my password to 9-10 characters, but if I try to set it for
> 10+ characters, they get the error message that they do not meet the
> complexity requirements.
> >
> > I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
> >
> > Does anyone know if there is a max password length?
> >
> > We would like to keep the minimum 8 characters, and the maximum
> varied at the users discretion. Can this be done?
> >
> >
> >
> > Thanks

This document and any attachments are for the intended recipient only.
It may contain confidential, privileged or copyright material which
must not be disclosed or distributed without prior approval.

Quark Group Pty Ltd :: ABN 23 114 975 772
Trading As Quark AudioVisual, Quark Automation, Quark IT

[ reply ]
Re: AD Password complexity - passwords too long? May 20 2009 07:58PM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: AD Password complexity - passwords too long? May 19 2009 06:11PM
Cruz, Dariel (dcruz gableseng com) (1 replies)
Re: AD Password complexity - passwords too long? May 20 2009 02:32AM
Anthony Petito (anthonypetito gmail com)
RE: AD Password complexity - passwords too long? May 19 2009 05:50PM
Brian K. Dore (bkd louisiana edu) (3 replies)
Re: AD Password complexity - passwords too long? May 19 2009 06:30PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:26PM
Anthony Petito (anthonypetito gmail com)
Re: AD Password complexity - passwords too long? May 19 2009 06:06PM
DG Gmail (dgonzalez itpro gmail com) (2 replies)
RE: AD Password complexity - passwords too long? May 22 2009 09:05PM
Quark IT - Hilton Travis (Hilton QuarkIT com au)
RE: AD Password complexity - passwords too long? May 20 2009 04:09PM
Lee Clemens (security leeclemens net)
RE: AD Password complexity - passwords too long? May 19 2009 05:19PM
Lucas, Mark J (mjlucas caltech edu)
RE: AD Password complexity - passwords too long? May 19 2009 05:17PM
Dave Doeppel (doeppel idealab com)


 

Privacy Statement
Copyright 2010, SecurityFocus