AD Password complexity - passwords too long?

> AD allows 127 characters. I have (progmatically) set passwords up to this
> length.  Win9x were limited to 14 IIRC.  Some people may have incorrectly
> assumed that the AD limit is based on the length of the password field in
> the interactive dialog box which is something like 28 characters or so,
> but scrolls when that size is exceeded.  That may explain the erroneous
> documentation.   Try setting a password to something straightforward for
> testing like  A1aaaaaaaaaaaaaaaaaa and verify if it's a length issue or
> something else.
>
> Brian
>
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of dgonzalez.itpro@...
> Sent: Tuesday, May 19, 2009 11:32 AM
> To: focus-ms@...
> Subject: AD Password complexity - passwords too long?
>
> Hello list,
>
> We have password complexities set on our domain; minimum password length
> is 8 and all XP users and Windows 2003 servers.
>
> I can set my password to 9-10 characters, but if I try to set it for 10+
> characters, they get the error message that they do not meet the
> complexity requirements.
>
> I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
>
> Does anyone know if there is a max password length?
>
> We would like to keep the minimum 8 characters, and the maximum varied at
> the users discretion. Can this be done?
>
>
> Thanks

> AD allows 127 characters. I have (progmatically) set passwords up to this
> length.  Win9x were limited to 14 IIRC.  Some people may have incorrectly
> assumed that the AD limit is based on the length of the password field in
> the interactive dialog box which is something like 28 characters or so,
> but scrolls when that size is exceeded.  That may explain the erroneous
> documentation.   Try setting a password to something straightforward for
> testing like  A1aaaaaaaaaaaaaaaaaa and verify if it's a length issue or
> something else.
>
> Brian
>
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of dgonzalez.itpro@...
> Sent: Tuesday, May 19, 2009 11:32 AM
> To: focus-ms@...
> Subject: AD Password complexity - passwords too long?
>
> Hello list,
>
> We have password complexities set on our domain; minimum password length
> is 8 and all XP users and Windows 2003 servers.
>
> I can set my password to 9-10 characters, but if I try to set it for 10+
> characters, they get the error message that they do not meet the
> complexity requirements.
>
> I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
>
> Does anyone know if there is a max password length?
>
> We would like to keep the minimum 8 characters, and the maximum varied at
> the users discretion. Can this be done?
>
>
> Thanks
>

> AD allows 127 characters. I have (progmatically) set passwords up to this
> length.  Win9x were limited to 14 IIRC.  Some people may have incorrectly
> assumed that the AD limit is based on the length of the password field in
> the interactive dialog box which is something like 28 characters or so,
> but scrolls when that size is exceeded.  That may explain the erroneous
> documentation.   Try setting a password to something straightforward for
> testing like  A1aaaaaaaaaaaaaaaaaa and verify if it's a length issue or
> something else.
>
> Brian
>
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of dgonzalez.itpro@...
> Sent: Tuesday, May 19, 2009 11:32 AM
> To: focus-ms@...
> Subject: AD Password complexity - passwords too long?
>
> Hello list,
>
> We have password complexities set on our domain; minimum password length
> is 8 and all XP users and Windows 2003 servers.
>
> I can set my password to 9-10 characters, but if I try to set it for 10+
> characters, they get the error message that they do not meet the
> complexity requirements.
>
> I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
>
> Does anyone know if there is a max password length?
>
> We would like to keep the minimum 8 characters, and the maximum varied at
> the users discretion. Can this be done?
>
>
> Thanks
>

> Hello list,
>
>
>
> We have password complexities set on our domain; minimum password length is 8 and all XP users and Windows 2003 servers.
>
>
>
> I can set my password to 9-10 characters, but if I try to set it for 10+ characters, they get the error message that they do not meet the complexity requirements.
>
>
>
> I have searched Microsoft documentation, and find minimum length requirements. I think I saw something about 28 characters, and even 127 characters.
>
>
>
> Does anyone know if there is a max password length?
>
>
>
> We would like to keep the minimum 8 characters, and the maximum varied at the users discretion. Can this be done?
>
>
>
>
>
> Thanks
>
>
>  

> Password length and complexity are two different policies, password complexity also includes the 6 char minimum flag, If I were you I would set the complexity policy first then the length policy and narrow it down that way, although it looks to me if you are getting the message that it failed complexity then it is not the length of the password that you are having the problem with as long as it is more than 6 char. In any event I would try one then the other :)
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...] On Behalf Of dgonzalez.itpro@...
> Sent: Tuesday, May 19, 2009 12:32 PM
> To: focus-ms@...
> Subject: AD Password complexity - passwords too long?
>
> Hello list,
>
> We have password complexities set on our domain; minimum password length is 8 and all XP users and Windows 2003 servers.
>
> I can set my password to 9-10 characters, but if I try to set it for 10+ characters, they get the error message that they do not meet the complexity requirements.
>
> I have searched Microsoft documentation, and find minimum length requirements. I think I saw something about 28 characters, and even 127 characters.
>
> Does anyone know if there is a max password length?
>
> We would like to keep the minimum 8 characters, and the maximum varied at the users discretion. Can this be done?
>
>
> Thanks
>

> Hello list,
>
> We have password complexities set on our domain; minimum password length is 8 and all XP users and Windows 2003 servers.
>
> I can set my password to 9-10 characters, but if I try to set it for 10+ characters, they get the error message that they do not meet the complexity requirements.
>
> I have searched Microsoft documentation, and find minimum length requirements. I think I saw something about 28 characters, and even 127 characters.
>
> Does anyone know if there is a max password length?
>
> We would like to keep the minimum 8 characters, and the maximum varied at the users discretion. Can this be done?
>
>
> Thanks
>

> While there has been great information in this thread about password
> management, it doesn't really seem to be answering the original
> question, which is why is there an error being generated for passwords
> of more than 10 characters.
>
> Dgonzalez, the first thing I would suggest is to try a completely
> randomly generated password of 12 characters, to insure that you are not
> reusing a previous password that my be disallowed due to password
> history requirements. I'm not sure if I saw this suggestion as a test in
> a previous email.
>
> Additional, it is possible for a non-default password filter to be added
> to a system for password management.
>
> Check the following registry key for non-default filters:
> HKLM\System\CurrentControlSet\Control\LSA\Notification Packages
>
> A changed password filter would be standard in a federal system, and is
> covered by the DISA STIG for Windows systems.
>
> Hopefully this helps.
>
>
> Jason Hurst
> Sr. Network Security Administrator
> Panda Restaurant Group
> jason.hurst@...
> Please consider the environment before printing this email
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of Torsten Pihl
> Sent: Tuesday, May 19, 2009 7:41 PM
> To: dgonzalez.itpro@...
> Cc: focus-ms@...
> Subject: Re: AD Password complexity - passwords too long?
>
> Hi, I'm just mentioning this in passing, assuming you already found
> the answer in the Group Policy thingy.  Pass phrase length is far more
> superior than complexity.  Password complexity encourages folks to
> write their passwords down.  Suboptimal.  Pass phrases are easy to
> remember and resistant to password crackers.
>
> Ja,
> Torsten
>
>
> On Tue, May 19, 2009 at 09:32,  <dgonzalez.itpro@...> wrote:
>> Hello list,
>>
>> We have password complexities set on our domain; minimum password
> length is 8 and all XP users and Windows 2003 servers.
>>
>> I can set my password to 9-10 characters, but if I try to set it for
> 10+ characters, they get the error message that they do not meet the
> complexity requirements.
>>
>> I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
>>
>> Does anyone know if there is a max password length?
>>
>> We would like to keep the minimum 8 characters, and the maximum varied
> at the users discretion. Can this be done?
>>
>>
>> Thanks
>>
>

> -----Original Message-----
> On Behalf Of DG Gmail
> Sent: Wednesday, 20 May 2009 04:06
>
> Thank for the replies all...
>
> I have done the test below and still didn't work. I
> check to make sure domain GPO's were being applied, and
> they are.
>
> As I mentioned minimum password length is 8 characters.
>
> If my password is Myp@sw0rd (as you can see its actually
> 9) it works ok, but if I try to use Myp@sw0rd1sthis it
> does now work. It will not allow me to change it.
>
> I have also check the other requirements ( history,
> username in password, etc...)
>
> Could there be a restriction as far as using a special
> character more than once?
>
> I have seen the documentaion that states otherwise, but
> anything longer than 9-10 characters fails.
>
> *shrug*
>
> Daniel
>
>
>
> ----- Original Message -----
> From: "Brian K. Dore" <bkd@...>
> Sent: Tuesday, May 19, 2009 10:50 AM
>
> > AD allows 127 characters. I have (progmatically) set
> > passwords up to this length.  Win9x were limited to 14
> > IIRC.  Some people may have incorrectly assumed that the
> > AD limit is based on the length of the password field in
> > the interactive dialog box which is something like 28
> > characters or so, but scrolls when that size is exceeded.
> > That may explain the erroneous documentation.   Try
> > setting a password to something straightforward for
> > testing like  A1aaaaaaaaaaaaaaaaaa and verify if it's a
> > length issue or something else.
> >
> > Brian
> >
> >
> >
> > -----Original Message-----
> > On Behalf Of dgonzalez.itpro@...
> > Sent: Tuesday, May 19, 2009 11:32 AM
> >
> > Hello list,
> >
> > We have password complexities set on our domain; minimum
> > password length is 8 and all XP users and Windows 2003
> > servers.
> >
> > I can set my password to 9-10 characters, but if I try
> > to set it for 10+ characters, they get the error message
> > that they do not meet the complexity requirements.
> >
> > I have searched Microsoft documentation, and find
> > minimum length requirements. I think I saw something
> > about 28 characters, and even 127 characters.
> >
> > Does anyone know if there is a max password length?
> >
> > We would like to keep the minimum 8 characters, and the
> > maximum varied at the users discretion. Can this be
> > done?
> >
> >
> > Thanks

> -----Original Message-----
> On Behalf Of ews
> Sent: Wednesday, 20 May 2009 10:31
>
> The difference between 7 and 8 is computationally negligible these
> days.  8 characters creates two halves of a LanMan hash (which is still
> created by default, both on servers and workstations).  Enforcing an
> eight character complex password means users will typically put the
> special character (*&^%$) as the last character.  (and many users will
> only create the minimal length password)  That leaves the first seven
> characters as alpha-numeric - which can be cracked with a small
> character set in a password cracker.  The eighth character is then the
> special character, which is the first character in the second LanMan
> hash - so it will crack instantly in password cracker.  You've then
> compromised a complex password of 8 characters in a matter of minutes.
>
> If the password minimum length is seven, most users will make theirs
> seven, which means the special character is within the first 7
> (probably
> last, but that doesn't matter) which means in order to crack the lanman
> hash, you'd need to run the cracker with the entire character set (not
> just alphanumeric) over the entire 7 character range - which will take
> a
> long time.  Using this analogy, a seven character complex password will
> usually be tougher to crack than an 8-12 character complex password.
>
> If you insist upon using 8, then make sure to set the reg key on all
> desktops, servers, and domain controllers to not create the LanMan
> hash.  Then, run some of the freeware tools available to delete all
> existing LanMan hashes from the password history (as they can be used
> to
> help guess what the current password is).
>
> Better yet, enforce a minimum of 15 characters.  You should still run a
> tool to delete all the old password hashes just to be safe.  With a 15
> character password, it won't save the LM hash, so it will be much
> tougher to crack.
>
> I've done an experiment in the classroom on password length (before
> Steve Riley wrote an article on this - no offense Steve!).  I ask each
> person on one side of the classroom to pick a password.  They think up
> a
> password - one they would typically use at work.  Don't say it, just
> think of it.  Then I ask people on the other side of the classroom to
> think of a passphrase.  Don't say it out loud- just think of it.  I ask
> the first side of the room (password) to count the length of the
> password they thought of - and I ask the others (passphrase) to count
> the length of their passphrase.  The first side of the room is usually
> sitting between 7 and 13 characters long.  The second side of the
> classroom is anywhere from 20 to 60 characters long (rarely shorter
> than
> 15).
>
> Asking users to think of passwords as 'passphrases' is a really good
> way
> to encourage long password length.  It's usually easier for a user to
> remember their passphrase, and it's easy for them to change it next
> month (they can simply change a word or value in their phrase.)  A good
> passphrase usually includes one or more spaces in the phrase - that
> helps with the special character (how many people put spaces in their
> passwords?  not many...)
>
> Therefore, if you want to go with a minimum less than 15, use 7, else
> do
> 15+ and educate folks about the coolness of the passphrase.  Just don't
> use 8.  (see my article here - why 7 is better than 8:
> http://www.securityfocus.com/infocus/1319
>
>
> dgonzalez.itpro@... wrote:
> > Hello list,
> >
> > We have password complexities set on our domain; minimum password
> length is 8 and all XP users and Windows 2003 servers.
> >
> > I can set my password to 9-10 characters, but if I try to set it for
> 10+ characters, they get the error message that they do not meet the
> complexity requirements.
> >
> > I have searched Microsoft documentation, and find minimum length
> requirements. I think I saw something about 28 characters, and even 127
> characters.
> >
> > Does anyone know if there is a max password length?
> >
> > We would like to keep the minimum 8 characters, and the maximum
> varied at the users discretion. Can this be done?
> >
> >
> >
> > Thanks