W2K3 User Password Policy: List of banned words for passwords?
We used to have the same password throughout our organisation which never expired and I have finally persuaded the powers that be that this is a mightily bad idea. However as those same powers do not want overly complicated passwords (which would be a result of the password complexity setting) I have set their passwords to renew every 30 days without any other enforcements. However what I don't want is the users deciding to firstly use either their user name, the company name or "password" and secondly to prevent them using the same password more than once (which I believe can be done via password policies). However there doesn't appear to be an option to list "banned" words for passwords. Any ideas on what I can do?Thanks, Cep
May 18th, 2009 6:35pm

In Windows includes a setting called "Password must meet complexity requirements" enables the use of passfilt.dll. This file by default demands users create new passwordsmeeting the following requirements: The password is at least six characters long. The password contains characters from three of the following four categories: English uppercase characters (from A through Z) English lowercase characters (from a through z) Base 10 digits (from 0 through 9) Non-alphanumeric characters (for example: !, $, #, or %) The password does not contain three or more characters from the users account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the users full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes, hyphens, underscores, spaces, number signs (#), and tab characters. Each token that is three or more characters long is searched for in the password, and if it is present, the password change is rejected. For example, the name Erin M. Hagens would be split into three tokens: Erin, M, and Hagens. Because the second token is only one character long, it would be ignored. Therefore this user could not have a password that included either erin or hagens as a substring anywhere in the password. None of these checks are case-sensitive. While the default passfilt.dll takes care of a couple of your wishes (no part of the username) it isn't an exact match. You can manually adjust passfilt.dll to include your options (banned words). The requirement to change the password every 30 days and password history can be set using the out-of-the-box password policies, indeed.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 7:13pm

Nice fact to remember, Sander. Thanx! My file server is being "crawled" a lot lately. I haven't looked for the tool to do it with. The logs clearly show a bunch of login names being tried at the server; alphabetical and in a very short amount of time. Cepeleon, I used the second phrase of your question, List of banned words for passwords, as a search on google and found a bunch. ShemsInformation is the most valuable commodity I know off.
May 19th, 2009 2:13am

Hi Sander, Thanks for a very detailed post, very helpfull. You mention that I can manually adjust the passfilt.dll to include the option of banned words, could you explain how I would go about this? Cheers!Thanks, Cep
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2009 12:32pm

Hi Shems, Thanks for the reply, I did google before posting but couldn't find anything specific to windows domains, could you point me to a result you found helpful? Cheers!Thanks, Cep
May 19th, 2009 12:38pm

Hi, Thank you for your post. To create a custom passfilt.dll, I suggest that you post to the MSDN forum. The support professionals there are more experienced on programming, and better qualified to assist you. MSDN forum:http://forums.microsoft.com/msdn/default.aspx?siteid=1 In addition, here are some related articles for your reference: Password Filter Programming Considerationshttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/password_filter_programming_considerations.asp Installing and Registering a Password Filter DLLhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/installing_and_registering_a_password_filter_dll.asp Hope the information is helpful.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2009 9:46am

http://www.boingboing.net/2009/01/02/top-500-worst-passwo.html In one of the comments there's a suggestion I should have thought about. It's the most secure (to date) way of securing a wireless connection;an entire sentence as a password. I just took a quick glance at the page and it seems to have some meaningful suggestions.Information is the most valuable commodity I know off.
June 3rd, 2009 2:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics