Identifying the issues is easy.  Getting others to understand and work to resolve the issue is what separates the dish washers from the It professionals and developers ;-)


From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 2:46 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration lengt h

Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living.
 
On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec.....
 
  joe


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, May 14, 2004 2:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration lengt h

And would you want something that never changes?  On the one hand it reduces your help-desk-password-reset-side-business impact.  On the other hand, it is much more likely to be shared or otherwise circulated by silly users.  Oh sure, "our policy prevents that" you say.  But think about it.  Is a policy that you don't enforce a worthless policy?  I say it is. 
 
OT: in case you're wondering, here's a group who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware.  Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03
 
Al


From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, May 14, 2004 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration length

But would you want a password policy weaker on your admins than on your users?
 
   joe


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Friday, May 14, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration length

I thought we were discussing end user policies though not TS Admins

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 14, 2004 12:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration length

 

It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine.

 

  joe

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Friday, May 14, 2004 11:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] consequences of setting password expiration length

It really depends on what type of group policy you se.

 

On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up.

 

If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have  just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password.

 

n         Minimum of 15 characters means no LMHash created

n         15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities

n         Try a million a second, it’ll take 531,855 centuries

(credited to Mark Minasi)

 

Just a little idea they through out there.

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, May 14, 2004 11:04 AM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] consequences of setting password expiration length

 

Hi Folks,

    I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer.  The question: a related company root admin wants to see a password expiration length time on a W2K domain.  He is worried that everyone's password will expire at the same time.  Correct or incorrect?  TIA!

 

Mike Thommes

Reply via email to