RE: [ActiveDir] consequences of setting password expiration lengt h h
what is this to do with the question i posted? -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]Sent: 17 May 2004 12:19To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length h Yikes - I was merely offering up and idea that was posed by a very well respected Active Directory expert - -I never said it was something I do - -- or even would do - -I actually started off the repeat of the idea by saying "If you were willing" From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h h
The first part of my initial response was to you direct question It depends on what type of group policy you use You can exclude certain accounts from a general policy and they would not expire at the same time. The other part of my response was just a side note on optional password expiration policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pettigrew, Jackie Sent: Monday, May 17, 2004 8:08 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] consequences of setting password expiration lengt h h what is this to do with the question i posted? -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: 17 May 2004 12:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length h Yikes - I was merely offering up and idea that was posed by a very well respected Active Directory expert - -I never said it was something I do - -- or even would do - -I actually started off the repeat of the idea by saying If you were willing From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 14, 2004 2:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, our policy prevents that you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, May 14, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a fresh TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, May 14, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 14, 2004 11:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin
RE: [ActiveDir] consequences of setting password expiration lengt h
Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Thanks, Al! -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Now if you want to set a policy for say 91 days but everyone's password is over say 150 days, you can either get to 91 days by starting with a high policy age and slowly decrease it or you can manually expire people so they have to change and then once they all get changed, set your policy. To do the latter, check out expire on my website - free win32 tools of www.joeware.net. It will allow you to specify userids and minimum passwords ages for expiration. That way you can do it in some sort of controlled fashion and if someone recently changed their password (say after you gathered your list of who to change), it won't touch them unless you set the minimum password age very low. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Thanks, Al! -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Friday, May 14, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Depends on which part of the process you're concerned about. Will the passwords expire at the same time? Not necessarily. They'll all expire at the interval of password expiration based on pwdLastSet. To play that out, if user 1 last set her pwd yesterday, she has until pwd expiration interval from yesterday. If user2 last set his pwd two weeks ago, he'll get the notification pwd expiration - 2 weeks. So, unless all accounts just had their pwd set at the exact same time, then no, they won't all get their pwd notification at the same time. They'll get it when they next meet the criteria. To be more articulate in your admins case, they will all expire at the same time *interval* vs. the same exact moment in time. Not that it matters for most domains, but... Al From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
Queue Idan? Where's this at? URL? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 1:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] consequences of setting password expiration lengt h
Identifying the issues is easy. Getting others to understand and work to resolve the issue is what separates the dish washers from the It professionals and developers ;-) From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, itll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes
RE: [ActiveDir] consequences of setting password expiration lengt h
http://www.psynch.com/ Idan works for M-Tec, IIRC From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 12:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Queue Idan? Where's this at? URL? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 1:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h Crap, I didn't even catch the part about never changing the password, that is assinine. Any admin who set a policy like that needs to be washing dishes for a living. On the password reset help desk business, get a self-help reset web site... Queue Idan from M-Tec. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration lengt h And would you want something that never changes? On the one hand it reduces your help-desk-password-reset-side-business impact. On the other hand, it is much more likely to be shared or otherwise circulated by silly users. Oh sure, "our policy prevents that" you say. But think about it. Is a policy that you don't enforce a worthless policy? I say it is. OT: in case you're wondering, here's agroup who claims to be able to crack Windows passwords in 13.6 seconds with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length But would you want a password policy weaker on your admins than on your users? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length I thought we were discussing end user policies though not TS Admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 14, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, May 14, 2004 11:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se. On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up. If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password. n Minimum of 15 characters means no LMHash created n 15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n Try a million a second, it'll take 531,855 centuries (credited to Mark Minasi) Just a little idea they through out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 14, 2004 11:04 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] consequences of setting password expiration length Hi Folks, I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer. The question: a related company root admin wants to see a password expiration length time on a W2K domain. He is worried that everyone's password will expire at the same time. Correct or incorrect? TIA! Mike Thommes ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
