Password Compexity and Dictionary Lookups

  • Thread starter Thread starter Howard Goldstein
  • Start date Start date
H

Howard Goldstein

We are getting ready to implement complex passwords in our domain. I've done
some testing and it seems there are times when even though I'm meeting all of
the complex passwords requirements, it will still not accept my new password.
I'm curious if by implementing more complex passwords, there is also a
requirement that the passwords can not be easily subjected to dictionary
lookups? I haven't been able to find anything that talks about this so I was
just wondering if it's something I need to warn my users about.
 
It is highly likely your users need to be informed accurately,
but that you do not have a full grasp on the complexity rules.
What do you think they are? In addition to length and change
frequency (separate settings) the complexity requirements are
not just use of 3 of the 4 character sets, but also one cannot
include user name (and there are the other settings controlling
reuse of passwords).

Keep in mind that the existing complexity rules are close to
meaningless, as such as 1Password! will pass but will get
discovered in a rainbow table attempt in very little time.

Perhaps you should not just inform your users of the minimum
to meet the complexity rules, but also advise them on what
makes for a good password (ex. a long phrase).

Roger

"Howard Goldstein" <HowardGoldstein@discussions.microsoft.com> wrote in
message news:81748CC2-DBF6-4629-B92F-D882F7F56EE2@microsoft.com...
> We are getting ready to implement complex passwords in our domain. I've
> done
> some testing and it seems there are times when even though I'm meeting all
> of
> the complex passwords requirements, it will still not accept my new
> password.
> I'm curious if by implementing more complex passwords, there is also a
> requirement that the passwords can not be easily subjected to dictionary
> lookups? I haven't been able to find anything that talks about this so I
> was
> just wondering if it's something I need to warn my users about.
 
"Howard Goldstein" wrote:

> We are getting ready to implement complex passwords in our domain.

Far more important is to implement retry-lockout, and a mechanism to warn an
Admin where repeated attempts are occurring, since (for a remotely-accessible
account) that might signal a 'bot attack. This approach is far more likely
to protect you from a brute-force attack than are passwords of monster
complexity.

Strangely, the default 2003 Domain Polices DON'T require this.
 
Back
Top