Microsoft Strong Passwords

Just a reminder about passwords for clients where we have enabled “Passwords must meet complexity requirements”. I received a call today from another tech needing help, and here are the specific criteria:

When this setting is enabled user passwords will have the following requirements:

• The password is at least six characters long.

• The password contains characters from three of the following five categories: English uppercase characters (A ” Z); English lowercase characters (a ” z); base 10 digits (0 ” 9); non ” alphanumeric (For example: !, $, #, or %); Unicode characters.

• The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long then this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Since the second token is only one character long it would be ignored. Therefore, this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. All of these checks are case insensitive.

In this specific instance, the problem was that the user was trying to use part of their name in their password.

Checking for strength:

Also here is a great resource for checking the relative strength of a password: https://www.microsoft.com/protect/fraud/passwords/checker.aspx

Also just a personal note about passwords:

Passwords which are written down are very vulnerable, I personally favor easy to remember pass phrases. Obviously, you cannot use a common phrase (such as a movie quote – ‘you had me at hello’), but something that is a regular sentence can pass the “strong password requirement” and be significantly cryptographically stronger than a true random password – even if the attacker knows that they are using just Upper/Lower/Space/Period.  Easy enough to not need to write it down, which will cause even the strongest password requirements to fail.

The password:  Monday is coffee day! (21 characters @ 3.53E+36 combinations)

Is stronger than:  gU6adadRAcU8a+RANA (18 character @ 3.28E+35 combinations) – and a whole lot easier to remember and faster to type.

Of course adding l33k speak would be even stronger:  M0nday 1s coff33 day! (21 characters @ 2.73E+41 combinations)

Or if we look at the common 6 character password (6.9E+11), versus a 7 character passphrase  (1.52E+12) although pass phrases are not effective below 14 characters, and it would be had to come up with a random enough passphrase less than 15 characters, and is generally regards as being best above 20. And anything above 14 resolves the inherent weaknesses of LM password hashes.

Passphrase: My wife Hannas. (15 characters @ 1.27E+26 combination)

But again, this is my own 2 cents.