|
Posted by Joe Richards [MVP] on June 9, 2006, 9:48 pm
Please log in for more thread options That would be a password complexity item, unfortunately the solution is
more insecure than the problem.
In order to be able to do comparisons like that you would need to
maintain the clear text form of the passwords somewhere so you could do
the comparison. Windows stores hashes and a simple increment in a
password will result in an entirely different hash, not an incremented
hash. So to make that comparison you need the clear text form of the old
passwords and do the comparison against the new clear text password. I
am of the opinion that those clear text passwords sitting around are far
more dangerous than some users who may or may not do Password1,
Password2, Password3, etc.
Your answer here is to educate your users on their password choices.
This goes for you admins as well because admins are horrible for doing
this and using duplicate passwords on different accounts. This last is
actually quite easy to catch... Get a hash dumper like pwdump2 and
compare the hashes, any duplicate hashes indicate duplicate passwords.
You will often find that admins with separate user and admin accounts
will duplicate passwords between the two of them, this should be a huge
no no. Admins tend to more concerned about normal users than admins but
the admins are where most of the risk is.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
David DeBoer wrote:
> Hello...
>
> On SBS2003 is there a way to keep users from repeating characters in their
> password?? For example my password today is 'Password-1'. When prompted to
> change it I change it to 'Password-2'. To me that doesn't seem real secure.
> It seems there must be a way to force users to change more than 1 character.
>
> Any thoughts??
>
> Thanks...
>
>
| 
XML Sitemap