RE: [ActiveDir] consequences of setting password expiration length

[John Harvey]

I have used passphrases for several years now, my passwords are never less than 10 characters and theyre not crackable because theyre not dictionary breakanle, most password compromise tools wont check for a complex passphrase and even something as simple as 'mydogspothasfleas' defeats them .   My last employer used them heavily and we hardly ever had to do password resets because people used phrases that meant something to them thus they didnt forget it   bear in mind the possible downside that some DOS and older software cannot handle passwords this long (net use being one example i have found) From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: Saturday, 15 May 2004 1:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] consequences of setting password expiration length It really depends on what type of group policy you se.   On an interesting note - -I just attended the Microsoft Security Strategies Road Show this week and the topic of passwords vs. passphrases was brought up.   If you are willing to implement the policy - - if you force your users to use a minimum 15 character password/passphrase (i.e. my dog has fleas which is 16 including spaces - - remember with windows you can use spaces in passwords) you can have them never be forced to change their password, not use lockouts after X bad attempts and still have  just over 1,677,259,342,285,725,925,376 different possibilities. Meaning even with a brute force attack - -it would conceivably take thousands of years to crack a password.   n         Minimum of 15 characters means no LMHash created n         15 lowercase letters = 1,677,259,342,285,725,925,376 possibilities n         Try a million a second, it’ll take 531,855 centuries (credited to Mark Minasi)   Just a little idea they through out there.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, May 14, 2004 11:04 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] consequences of setting password expiration length   Hi Folks,     I apologize for the question since I think it has been battered around in one form or another but I can't seem to find the answer.  The question: a related company root admin wants to see a password expiration length time on a W2K domain.  He is worried that everyone's password will expire at the same time.  Correct or incorrect?  TIA!   Mike Thommes ********************************************************************** This e-mail (including all attachments) is intended solely for the named addressee/s and may contain confidential information. If you have received this e-mail in error please inform the sender and delete it from your computer system and destroy any copies. This e-mail is subject to copyright. Any unauthorised disclosure, modification or distribution is expressly prohibited. Unless explicitly attributed, the opinions expressed in this e-mail do not necessarily represent the official position or opinions of Brisbane Catholic Education. Brisbane Catholic Education gives no warranties that this e-mail is free from computer viruses or other defects. Except for responsibilities implied by law that cannot be excluded, Brisbane Catholic Education, its employees and agents will not be responsible for any loss, damage or consequence arising from this e-mail.