Password Compexity and Dictionary Lookups

H

Howard Goldstein

We are getting ready to implement complex passwords in our domain. I've done
some testing and it seems there are times when even though I'm meeting all of
the complex passwords requirements, it will still not accept my new password.
I'm curious if by implementing more complex passwords, there is also a
requirement that the passwords can not be easily subjected to dictionary
lookups? I haven't been able to find anything that talks about this so I was
just wondering if it's something I need to warn my users about.
 
R

Roger Abell [MVP]

It is highly likely your users need to be informed accurately,
but that you do not have a full grasp on the complexity rules.
What do you think they are? In addition to length and change
frequency (separate settings) the complexity requirements are
not just use of 3 of the 4 character sets, but also one cannot
include user name (and there are the other settings controlling
reuse of passwords).

Keep in mind that the existing complexity rules are close to
meaningless, as such as 1Password! will pass but will get
discovered in a rainbow table attempt in very little time.

Perhaps you should not just inform your users of the minimum
to meet the complexity rules, but also advise them on what
makes for a good password (ex. a long phrase).

Roger

"Howard Goldstein" <HowardGoldstein@discussions.microsoft.com> wrote in
message news:81748CC2-DBF6-4629-B92F-D882F7F56EE2@microsoft.com...
> We are getting ready to implement complex passwords in our domain. I've
> done
> some testing and it seems there are times when even though I'm meeting all
> of
> the complex passwords requirements, it will still not accept my new
> password.
> I'm curious if by implementing more complex passwords, there is also a
> requirement that the passwords can not be easily subjected to dictionary
> lookups? I haven't been able to find anything that talks about this so I
> was
> just wondering if it's something I need to warn my users about.
 
A

Anteaus

"Howard Goldstein" wrote:

> We are getting ready to implement complex passwords in our domain.

Far more important is to implement retry-lockout, and a mechanism to warn an
Admin where repeated attempts are occurring, since (for a remotely-accessible
account) that might signal a 'bot attack. This approach is far more likely
to protect you from a brute-force attack than are passwords of monster
complexity.

Strangely, the default 2003 Domain Polices DON'T require this.
 
You must log in or register to reply here.

Similar threads

D
AD Password Change- Password does not meet requirements
Replies
0
Views
11
David Galway
D
Y
  • Article
How to prepare for Windows 10 end of support by moving to Windows 11 today
Replies
0
Views
23
Yusuf Mehdi, Executive Vice President, Consumer
Y
J
  • Article
How Copilots are helping customers and partners drive pragmatic innovation to achieve business results that matter
Replies
0
Views
18
Judson Althoff
J
Y
  • Article
The most personal Windows 11 experience begins rolling out today
Replies
0
Views
152
Yusuf Mehdi, Corporate Vice President &#38
Y
M
I'm trying to disable password requirements and can't figure it out.
Replies
0
Views
57
Mingablo
M
Back
Top Bottom