I have the password length set to 8 characters and the complexity requirements enabled. And it was somewhat surprising to see the passwords jump up before my eyes. I am only using the trial version so the true brute force mode is not enabled. I found a v2.5 on the net and it was able to crack 80% of the passwords in an overnight run. Quite eye opening.
Jim Liddil > -----Original Message----- > From: Ryan Malayter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 02, 2002 11:37 AM > To: Exchange Discussions > Subject: RE: Password Policy Enforcement > > > Brute-forced in a matter of seconds? What's your minimum > password length? > > We use 8 characters with passflt. There are 95 "typeable" > non-whitespace characters on US keyboards. 95^8 is > approximately 10^15. Even if a cracker could try one billion > passwords per second (which would require many machines > running in parallel), you're looking at an average cracking > time of about 5.5 days. > > Granted, LC3 does a lot of things to make it's brute-force > approach "smarter", like appending numbers and punctuation to > dictionary words and trying those first. But no reasonable > long password should even be cracked in seconds. > > -----Original Message----- > From: James Liddil [mailto:[EMAIL PROTECTED]] > Posted At: Thursday, May 02, 2002 9:42 AM > Posted To: Exchange List > Conversation: Password Policy Enforcement > Subject: RE: Password Policy Enforcement > > > I am running w2k and have the policy set to require they meet > the complexity requirements. But I find that I am still able > to crack these passwords in a matter of seconds. To me this > is almost one of those questions that crosses many > boundaries. Particularly with w2k,AD and exchange sort of > being one beast. I would prefer to be able to plug as many > holes as possible. And yes I am taking care of obvious things > as part of a complete security review. > > Jim Liddil > > > -----Original Message----- > > From: Hunter, Lori [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, May 02, 2002 10:02 AM > > To: Exchange Discussions > > Subject: RE: Password Policy Enforcement > > > > > > What is the goal? What are you already doing to enforce > > strong passwords? Are you running passfilt? > > > > This is really a question better suited for the WinNT list, > > by the way. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
