I would sort of a agree on the rainbow table unless someone builds some tables where the tokens are words instead of characters. Some of the recent chatter on FD makes me wonder if someone is going to start doing that. Of course the intermixing of CAPS helps tremendously. I would still recommend mixing character cases, numbers, and special chars into the mix. If you, for instance, have your password policy set to 25+ characters an intelligent hacking system could automatically go into Word Token mode instead of character token mode. At least if I wrote a cracker that is what it would do.
My personal choice would be to set the domain policy to password length of 1 character min and then enforce something like 15-20-25 via password filter. The downside is obviously the horrible system of passing back information to the client when a password fails complexity rules... I.E. It doesn't pass back anything useful for custom filters. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Hampshire Sent: Wednesday, November 03, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Notification containing new password <mutter> Someday I'll learn to type in complete sentences. They can remember "My dog's name is Red Rover" easily and no amount of current computing power can crack it even with rainbow tables. ----- Original Message ----- From: "Doug Hampshire" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 03, 2004 3:39 PM Subject: Re: [ActiveDir] Notification containing new password > They used to track passwords here at a time before my arrival. And most > users had the same 4 character password! Needless to say there is now a > password policy that encourages the use of passphrases (passwords are bad, > evil things). With the minimum password length we have set, users have to > use a passphrase. They can remember "My dog's name is Red Rover" easily > and no amount of current computing power of rainbow tables. > > For any user that attempts to tell me their password/passphrase, I tell > them that if they do I will logon as them and send an eMail to the entire > company (as them) inviting everyone to an adult toy party at their house > this Friday night. > > ----- Original Message ----- > From: "ASB" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 03, 2004 10:34 AM > Subject: Re: [ActiveDir] Notification containing new password > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> I would like to have the user's change their own passwords, but I >> would also like to be able to know their new passwords. >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> ALARM! ALARM!! >> >> I don't *ever* want to know someone else's password. I don't *ever* >> want someone else to have reason to believe that I have their >> password, as this violates all sorts of security principles. >> >> This violates the whole purpose of having a password in the first place. >> >> If I ever need to get into an end-user system as their specific >> account, when they happen to be unavailable, I'll change their >> password at that time. (Ensuring that I have good key recovery in >> place for EFS usage) >> >> Suffice it to say, your plans has Bad-IdeaT written all over it. I >> would highly recommend that you pursue a different course of action. >> >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Does anyone know of a solution? Maybe something like an email >> generated by some sort of script with the new password? >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> This only sounds worse... >> >> Not incidentally, the NET USER /RANDOM command supports the generation >> of random passwords. >> >> - ASB >> Cheap, Fast, Secure -- Pick Any TWO. >> http://www.ultratech-llc.com/KB/ >> >> >> On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape >> <[EMAIL PROTECTED]> wrote: >>> Hi Group, >>> >>> I have already delved into the archives and I couldn't find quite >>> what I >>> was looking for. It is very possible that I looked over it, and if I did >>> I >>> apologize in advance. Now, to my question: We are a fairly small shop >>> here >>> (about 40 users) and the traditional way of doing a password change was >>> to >>> collect new passwords from everyone and then I change them in AD as well >>> as >>> in a couple of other places (i.e. like synchronizing them with our >>> non-Exchange mail server). We did this so that in case somebody was away >>> on >>> vacation and we needed to log on to their computer (with their profile) >>> we >>> could do it. It saves the hassle of say, logging in with a domain >>> account >>> and then manually opening up a PST file or something like that. >>> >>> I would like to have the user's change their own passwords, but I >>> would >>> also like to be able to know their new passwords. We have had numerous >>> issues in the past with people telling us their wrong passwords, so I >>> would >>> like to get it straight from AD if possible. Right now the only solution >>> I >>> can see is cracking all of the passwords, but that isn't the most >>> feasible >>> way. >>> >>> Does anyone know of a solution? Maybe something like an email >>> generated >>> by some sort of script with the new password? Sorry if this email >>> dragged on >>> for a bit. Any help is appreciated. Thanks. >> List info : http://www.activedir.org/mail_list.htm >> List FAQ : http://www.activedir.org/list_faq.htm >> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >> > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
