|
Yikes - I was merely offering up and idea
that was posed by a very well respected Active Directory expert - -I never said
it was something I do - -- or even would do - -I actually started off the
repeat of the idea by saying “If you were willing” From: joe
[mailto:[EMAIL PROTECTED] Crap, I didn't even catch the part about
never changing the password, that is assinine. Any admin who set a policy like
that needs to be washing dishes for a living. On the password reset help desk business,
get a self-help reset web site... Queue Idan from M-Tec..... joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al And would you want something that never
changes? On the one hand it reduces your help-desk-password-reset-side-business
impact. On the other hand, it is much more likely to be shared or
otherwise circulated by silly users. Oh sure, "our policy prevents
that" you say. But think about it. Is a policy that you don't
enforce a worthless policy? I say it is. OT: in case you're wondering, here's
a group who claims to be able to crack Windows passwords in 13.6 seconds
with standard OTF hardware. Not perfect, but intereesting anyway http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 Al From: joe
[mailto:[EMAIL PROTECTED] But would you want a password policy
weaker on your admins than on your users? joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino I thought we were discussing end user
policies though not TS Admins From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe It is a good idea. I use pass phrases...
however trying using TS Manager to grab one a session when you have a long
password like that, comes back and tells you bad password even though you can
log into a "fresh" TS session just fine. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino It really depends on what type of group
policy you se. On an interesting note - -I just attended
the Microsoft Security Strategies Road Show this week and the topic of
passwords vs. passphrases was
brought up. If you are willing to implement the policy
- - if you force your users to use a minimum 15 character password/passphrase
(i.e. my dog has fleas which is
16 including spaces - - remember with windows you can use spaces in passwords)
you can have them never be forced to change their password, not use lockouts
after X bad attempts and still have just over
1,677,259,342,285,725,925,376 different possibilities. Meaning even with a
brute force attack - -it would conceivably take thousands of years to crack a
password. n
Minimum of 15 characters means no LMHash created n
15 lowercase letters =
1,677,259,342,285,725,925,376 possibilities n
Try a million a second, it’ll take 531,855
centuries (credited
to Mark Minasi) Just a little idea they through out there. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Hi Folks, I apologize for the question since I
think it has been battered around in one form or another but I can't seem to
find the answer. The question: a related company root admin wants to see
a password expiration length time on a W2K domain. He is worried that
everyone's password will expire at the same time. Correct or
incorrect? TIA! Mike Thommes |
