RE: [ActiveDir] OT Password Policy:

[Rick Kingslan]

James,   The password problem is not one of brute force.  Believe me, I use these figures frequently when discussing things with Executives, because Bink's chart (BTW not a name loved in the MVP Community - and shame on MS for caving....) is very impressive.  But, if I can grab some pertinent data (pwdump, etc.) and use tools such as John the Ripper or L0phTCrack, then these numbers are meaningless as the brute force element is no longer in play.   The reason that it is important to change passwords on some relative frequency is not because Stephen Bink is right - because he is - if pure math is all that is at work.  The reason to change passwords at some relative frequency is to ensure that you are lessening the risk of compromise due to a number of other factors that have nothing to do with brute force.   Let's look at it from another perspective:  Security is ALL ABOUT reducing the Attack Surface.  We as the Defenders have a hard job - we are required to secure and strengthen each and every nook and cranny of our computers, OSs, networks, buildings, etc.  The attackers have an advantage - they can attack that one small area that we missed or didn't bolster to a sufficient level.  And, if they can't get it immediately, they can chip away a little bit at a time until they do in a very quiet and clandestine way.   This is why we change passwords frequently - because you just don't know who is using your user's username and password.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 24, 2003 9:33 PM To: [EMAIL PROTECTED] http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp The below is referenced from: http://winxp.bink.nu/ : Interesting password points: Password length and possible permutations 6 characters = 689,869,781,056 7 characters = 64,847,759,419,264 8 characters = 6,095,689,385,410,816 9 characters = 572,994,802,228,616,704 10 characters = 53,861,511,409,489,970,176 Given a 60 day password expiry date and a password of 7 characters, it would require about 7,407,407 logon attempts per second to find the password Play the lottery, the odds are much better! Password security recommendations: Security Category Account Lockout Settings** Password Policy Settings Cost         Max Password Age   Password Age Password Length   Low - - - 3 42 0 0 disabled Low Medium 10 30 30 24 42 1 7 enabled Medium High 10 30 Infinite/0 24 42 1 8 enabled High