|
Queue Idan? Where's this at?
URL? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the
password, that is assinine. Any admin who set a policy like that needs to be
washing dishes for a living.
On the password reset help desk business, get a self-help
reset web site... Queue Idan from M-Tec.....
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 2:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On
the one hand it reduces your help-desk-password-reset-side-business
impact. On the other hand, it is much more likely to be shared or
otherwise circulated by silly users. Oh sure, "our policy prevents that"
you say. But think about it. Is a policy that you don't enforce a
worthless policy? I say it is.
OT: in case you're wondering, here's a group who
claims to be able to crack Windows passwords in 13.6 seconds with standard OTF
hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03
Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins
than on your users?
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, May 14, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were
discussing end user policies though not TS Admins From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe It is a good idea. I
use pass phrases... however trying using TS Manager to grab one a session when
you have a long password like that, comes back and tells you bad password even
though you can log into a "fresh" TS session just fine.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Craig
Cerino It really depends on
what type of group policy you se. On an interesting note
- -I just attended the Microsoft Security Strategies Road Show this week and the
topic of passwords vs. passphrases was brought
up. If you are willing to
implement the policy - - if you force your users to use a minimum 15 character
password/passphrase (i.e. my dog has
fleas which is 16 including spaces - - remember with windows you can
use spaces in passwords) you can have them never be forced to change their
password, not use lockouts after X bad attempts and still have just over
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute
force attack - -it would conceivably take thousands of years to crack a
password. n
Minimum of 15
characters means no LMHash created n
15 lowercase letters =
1,677,259,342,285,725,925,376 possibilities n
Try a million a second,
it'll take 531,855 centuries (credited
to Mark Minasi) Just a little idea they
through out there. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Thommes, Michael
M. Hi
Folks, I apologize for
the question since I think it has been battered around in one form or another
but I can't seem to find the answer. The question: a related company root
admin wants to see a password expiration length time on a W2K domain. He
is worried that everyone's password will expire at the same time. Correct
or incorrect? TIA! Mike
Thommes
|
- RE: [ActiveDir] consequences of setting password expir... Mulnick, Al
- RE: [ActiveDir] consequences of setting password ... Thommes, Michael M.
- RE: [ActiveDir] consequences of setting password ... Mulnick, Al
- RE: [ActiveDir] consequences of setting password ... Rimmerman, Russ
- RE: [ActiveDir] consequences of setting password ... Mulnick, Al
- RE: [ActiveDir] consequences of setting password ... Coleman, Hunter
