Quest about password complexity

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does any work around (or free tools) to use strong password rather than
enabling "Password must meeting complexity requirements" in AD nor using
third party tools like "Password Policy Enforcer"?

Let say, the password combination is enforced to use number + character.

Any input will be appreciated.
 
Howdie!

Alan said:
Does any work around (or free tools) to use strong password rather than
enabling "Password must meeting complexity requirements" in AD nor using
third party tools like "Password Policy Enforcer"?

Let say, the password combination is enforced to use number + character.
Click to expand...

No, there isn't. Well, you could of course write yourself a custom
passfilt.dll which is responsible for the checking:
http://msdn2.microsoft.com/en-us/library/ms722439.aspx - but since the
self-made-DLL will run on your most important machines (the domain
controllers!) you really won't consider doing that.

You'll have to use a third party tool for that.

cheers,

Florian
 
Howdie!

Alan said:
BTW, does anyone try passfilt.dll and any experience can share?
Click to expand...

I've heard of a product called "Passfilt Pro" which essentially does
such a thing, if I remember right - but never used it. I also haven't
had a closer look to the passfilt.dll story, since there're a few good
products out there.

You need to see the tradeoff between writing the thing yourself and
buying a third party product. In my opinion, if you haven't any
excellent C++ cracks in your corp, you'll end up spending more time,
money and resources in writing such a thing yourself than spending the
money for a ready-to-go solution from a third-party-vendor.

cheers,

Florian
 
Thanks Florian!

BTW, does anyone trypassfilt.dll and any experience can share?

Alan







- Show quoted text -
Click to expand...

I've worked on a few password filters, including Password Policy
Enforcer that you referred to above. Writing a simple password filter
isn't a massive undertaking. It's just a DLL with a few entry points.
The problem is that the DLL is critical to the stability of your
domain controllers. One serious bug, and you will BSOD them. There are
also a couple of bugs and limitations in the password filter
interface. These aren't noted in the documentation, so you are going
to have to discover and fix them the hard way.

Another problem is that there is no way for a password filter to
return useful error messages back to the user. All the commercial
products have solutions for this now, but it's not easy to implement.
 
Back
Top