Re: Password policy

["Penn, Blake" <pennb () UWW EDU>]

You can also use GPOs or registry entries to enforce NTLM-family hashes if
passphrases and/or long passwords are not politically feasible in your
organization and/or if you want to enforce stronger hashes universally
(particularly if you don't need to support legacy Windows systems in a
domain environment).  But, if your hashes are unprotected you are in for
other problems anyway!

http://support.microsoft.com/kb/299656

____________________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security/

________________________________

From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU]
Sent: Wednesday, November 01, 2006 6:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy


Just wondering - why is 8 characters often used as a common length for
passwords.

My understanding is that it is because older unix systems had a maximum
password length of 8 characters so, if no more than that reason alone, 8
characters is a convention for a lot of windows users.  Maybe because it's
simpler than telling users to have an 8-character password limit for unix
accounts but a longer character limit for windows accounts.

I thought that if a windows password is at least 15-characters long, it
won't be stored using the LM hash (which is easier to crack because it
breaks the password into seven-character chunks and also makes everything
upper-case).

For sensitive windows systems, therefore, we use a minimum 15-character
passphrase.

Harold

Attachment: smime.p7s
Description: