strong passwords

[Guest]

In my company , we are applicating strong passwords and i have the following
consiguration
- enforce password history = 12
- maximum password age = 90 days
- minimum password age = 0
- minimum password lenght = 6
- password must meet complexity ... = disable
- store passwords using .... = disable
Now , after changes will to stay of following form .
- enforce password history = 14
- maximum password age = 45 days
- minimum password age = 0
- minimum password lenght = 8
- password must meet complexity ... = enable
- store passwords using .... = disable

What´s the impact in my ambient, that will occur with all workstation im my
company ?

 

[Ryan Hanisco]

Flavio,

You will not see an impact to your end users until they are forced to change
their passwords. Then the complexity requirements will go into effect.
Brace yourself for the helpdesk calls and public outcry. Do yourself a favor
and send out a notice, e-mail, newsletter, whatever outlining the change,
and give them warning.

Make sure you understand what a strong password is. Most people, not in IT,
will be shocked at the requirements and take it personally that you are
making their lives harder. Also, you may actually see a reduction in
security as people write these things down and store them under their
keyboards.

Good PR and management buy in are the only way to really effect this change.

 

[Herb Martin]

Agreed.

Also note, that a truly complex password with well educated
users who will NEVER share their password and who understand
the NEED for security might better be left for a LONGER period.

A good password that is never shared does not (really) need
to be changed very often.

 

[Cary Shultz [A.D. MVP]]

Flavio,

In addition to what Ryan and Herb ( Howdy, Guys! ) have stated I would
suggest that you have a minimum password age of at least 10 days. Why?
Because without a minimum password age your smarter users will quickly find
out that they can change their password xx number of times ( in your case,
14 ) in rapid succession to get back to their favorite password. Thus, your
password policy will not really be that effective. With 10 days as the
minimum password age most - hopefully all! - users will have given up!

I would also suggest that you contact the MS PSS and get the fix ( for
free ) and install it on all of your computers ( Domain Controllers, Member
Servers, Workstations ) as your users will most likely NOT come up with a
password that will met with the complexity requirements. This will result
in an error message that is quite generic and not very informative. With
this hot fix the users will be given an error message that spells out
exactly what they need to do ( assuming that they read it! ).

Here is the link:

http://support.microsoft.com/?id=821425


You might also want to take a look at this MSKB Article:

http://support.microsoft.com/?id=309799

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Herb Martin]

I also would say that trying for secure passwords
shorter than 15 characters is a futile effort.

I have personally seen 14 character, semi-complex
passwords broken in 10-20 seconds on demand.

 

[Ryan Hanisco]

10-20 seconds?? That's a bit quick, but I completely believe you. Maybe
you hang out with a tougher crowd than I do?

I have seen a user forget a 6 character password in 10-20 seconds though.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

PS: Hello to Herb and Cary from the frozen tundra of Chicago. I hope your
days are warmer than mine.

 

[Herb Martin]

10-20 seconds?? That's a bit quick, but I completely believe you. Maybe
you hang out with a tougher crowd than I do?

I have seen a user forget a 6 character password in 10-20 seconds though.

Heck *I* have forgotten a 5 character password
but after a bit of training they can be taught to
remember 15+ characters.

This forgetting is one of the reason I am willing
to let them keep a password longer (than some
other admins) -- IF they have a strong password,
AND IF they do not expose it to others then it
will remain secure longer than a short password
under attack.

Also, short passwords are MUCH easy for a
lurker to extract by watching over someone's
shoulder -- which users should be taught to
avoid.

In fact, users should be taught to give their
password to KNOW ONE and the it is
politeness to turn away when someone types
a password.

 

[Cary Shultz [A.D. MVP]]

Ryan,

It is not so cold here in lovely Roanoke, VA as in Chicago, IL but we still
have in the low low 30s and upper 20s during the day. Our little guy doesn
ot quite know how to react when I take him outside!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Herb Martin]

Ryan,

It is not so cold here in lovely Roanoke, VA as in Chicago, IL but we still
have in the low low 30s and upper 20s during the day. Our little guy doesn
ot quite know how to react when I take him outside!

Oh, I missed that point but here in central Texas it
was short-sleeve shirt weather.