I'd be very interested to see the technical data that backs that up
(not you Neil, but the folks from Microsoft that make that claim.)
Is it related to people being able to remember a limited number of
numbers
perhaps?(http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm
) Or is there some other empirical data that says that passwords with
greater than 7 characters is likely to be repeated?
Or could it be that somebody at MS is sore that NTLM had to be
upgraded to beyond two 7 char strings? ;)
Seriously, I see nothing like that here
http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or
here http://www.passwordresearch.com/stats/statindex.html
I think that's a load of bologna to make a suggestion to keep
passwords to less than 7 characters. If anything, there's no reason
not to make them longer as the more characters that have to be
guessed, the harder it becomes to brute-force hack them (assuming
that passwords are not stored as two 7 char strings, right?) That
allows the system to be even more useful because you can then extend
the attempts prior to lockout making the system more useful to the
end user.
In the end, there are some assertions that passwords by themselves
are coming to the end of their useful life. Hmm.. Maybe. But I think
coupled with good lockout policies, strong passwords mean we can
mitigate the risks for most situations. Not forever of course.
I'd love to see some of that data that shows that users repeat after
7 characters if anyone has it.
Al
Just for fun:
http://plus.maths.org/issue31/features/eastaway/index-gifd.html
On 3/6/06, [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:
The use of >20 char passwords caught my eye.
In previous discussions with MS et al, it was suggested that
the
majority of users would simply repeat a (at most ( 7 char password
n times, so as to meet the 20+ char pw policy requirement.
As a result, I have heard it suggested that in reality (not
theory) a pw policy of more than 7 chars is actually counter
productive. [Any pw policy with a multiple of 7 chars being most
counter productive.]
Food for thought,
neil
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] *On Behalf Of *Ulf B.
Simon-Weidner
*Sent:* 05 March 2006 08:35
*To:* [email protected]
<mailto:[email protected]>
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
I've written down some related thoughts once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
<http://msmvps.org/UlfBSimonWeidner>
Website: _http://www.windowsserverfaq.org_
<http://www.windowsserverfaq.org/>
Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] *On Behalf Of
*Edwin
*Sent:* Sunday, March 05, 2006 4:17 AM
*To:* [email protected]
<mailto:[email protected]>
*Subject:* [ActiveDir] How Secure is a Domain Controller?
How Secure is a Domain Controller that is fully patched on a
default install of Windows 2003? When promoted the domain
controller has the two default policies, both of which are
recommended not to be modified. But there are things that could
be done better for added security. For example, NTLMv2 refuse
NTLM and LM. Is it common practice to add additional GPO's to the
DC OU? Or is DC protected enough to where all that is needed to
worry about are the member machines?
If adding additional GPO's to the DC OU, is there anything that
should definitely be avoided?
Edwin
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
