Password Security Tool

  • Thread starter Thread starter Mike Morgan
  • Start date Start date
M

Mike Morgan

All,

Does anyone know of a good third party tool that will work with NT/2000
User Manager to ensure that user's passwords can't be cracked easily. We
would like to force users to use non-alphanumeric characters in their
passwords among other things.

Thanks,

Mike

Mike Morgan
Public Communications Services
Network/System Administrator
Email: (e-mail address removed)
 
W2K has the password complexity option you can enable, which you probably are aware
of, though that will not do quite what you want. To do that you will need a custom
passfilt.dll - search Microsoft Website for passfilt.dll for help on that and will
require the help of a programmer. However you may also want to look at using
complexity along with a reasonable maximum password age and an account lockout
policy. The account lockout policy does not have to be severe to be effective. If you
have a lockout policy with a threshold of ten attempts and a fifteen minute lockout,
that will go a long way to protect from password attacks. Try as you can it will be
very difficult to force users to use secure passwords. For instance a user named
Betty could have a password such as B*e*t*t*y1. Hopefully domain administrators
understand the need to use complex passwords for their accounts. There is also
software such as LC4 to crack passwords yourself to see what users are actually
using.-- Steve

http://www.atstake.com/products/lc/
 
In the GPO settings, you can enable Password Complexity under the Account
Policies|Password Policies. This will require the following:

6 char password
3 of 4 types of char in password (upper, lower, numbers, special)
no username
no logonname

You can beef this up with the other settings in the Password Policies, such
as:

Min char length
Min age
max age
Passwords to remember

If you go much more than this, users will actually regress, and the
passwords will be required to be written down so they can remember, which is
much worse than someone hacking in... they just need to visit the user's
desk!
 
Back
Top