RE: [ActiveDir] consequences of setting password expiration length

[Craig Cerino]

I thought we were discussing end user policies though not TS Admins   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 14, 2004 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length   It is a good idea. I use pass phrases... however trying using TS Manager to grab one a session when you have a long password like that, comes back and tells you bad password even though you can log into a "fresh" TS session just fine.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, May 14, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se.   On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up.   If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have  just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password.   n         Minimum of 15 characters means no LMHash created n         15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n         Try a million a second, it’ll take 531,855 centuries (credited to Mark Minasi)   Just a little idea they through out there.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 14, 2004 11:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length   Hi Folks,     I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer.  The question: a related company root admin wants to see a password expiration length time on a W2K domain.  He is worried that everyone's password will expire at the same time.  Correct or incorrect?  TIA!   Mike Thommes