Enforce Full or Selective Complexity on Passwords?



  • So I'm setting up a GPO for a client and was curious if anyone knew if it was possible to enforce full complexity and/or selective complexity. For example, I've only found the option for password complexity, which is 3/4 of the criteria being upper and lower case, numbers, and special characters. I am making two GPOs right now for the client. The one for users he wants to be 15 character min (14 is the max possible so I set it to that) and then have upper and lower case required but nothing else REQUIRED (obviously the rest is still optional) with a 1 year expiration. We actually decided on that idea, overall, based on a conversation we had today, during which I drew on information from the conversation that was had here on ML recently about passwords. I don't remember the thread but @scottalanmiller made some excellent points in it.

    Anyways, for domain admins, he wants 8 character minimums but he wants all four categories to be required. So my question is: is there anywhere you can specify your complexity requirements that I might be missing, or is that option all encompassing and not really something you tweak? Thanks in advance!

    A.J.



  • Don't know.

    I was just wondering why anyone would want a 15 character min?

    Password length is really only designed to prevent brute force attacks, right? How common are brute force attacks? And how much does a minimum length really protect you? After all, I imagine a long password like Password123 would be cracked with a dictionary attack way before something like gj4~3G is cracked by brute force.



  • @Carnival-Boy said:

    Don't know.

    I was just wondering why anyone would want a 15 character min?

    Password length is really only designed to prevent brute force attacks, right? How common are brute force attacks? And how much does a minimum length really protect you? After all, I imagine a long password like Password123 would be cracked with a dictionary attack way before something like gj4~3G is cracked by brute force.

    Length is really important because if it is short, brute force is super easy. Only when it is long is it not. But enforcing complexity effectively breaks normal security (at a human practical level) and makes this completely pointless - people will make easy passwords that are easily dictionary-attackable. This is someone sabotaging the firm, not someone looking for security.



  • @scottalanmiller said:

    @Carnival-Boy said:

    Don't know.

    I was just wondering why anyone would want a 15 character min?

    Password length is really only designed to prevent brute force attacks, right? How common are brute force attacks? And how much does a minimum length really protect you? After all, I imagine a long password like Password123 would be cracked with a dictionary attack way before something like gj4~3G is cracked by brute force.

    Length is really important because if it is short, brute force is super easy. Only when it is long is it not. But enforcing complexity effectively breaks normal security (at a human practical level) and makes this completely pointless - people will make easy passwords that are easily dictionary-attackable. This is someone sabotaging the firm, not someone looking for security.

    Yeah, I remember reading some info about the math behind it. Even with a fully complex password, if it's 8-10 characters, there are still only so many possibilities. Once it hits 14 or 15 and goes up from there, it just gets exponentially harder, because the sheer number of combinations to try goes up and up like crazy.



  • Fully complex doesn't make it harder to guess - it just makes it harder to remember. Complexity is a human prevention technique, it does nothing to prevent a computer attack.





  • At eight characters, a brute force attack is pretty easy. It takes hours for a good desktop to crack. Go to sixteen and super computers can't do it in a week.



  • How common is a brute force attack on AD? How would it work?



  • But I want to thank you @scottalanmiller for that thread from before as it helped me with this customer and I could talk to them and feel confident about what I was saying. 🙂



  • @Carnival-Boy said:

    How common is a brute force attack on AD? How would it work?

    Honestly, the biggest threat is always internal. If a company doesn't have any public facing servers, the chances for an attack even being possible are slim. Having strong passwords was always most important to prevent employees from using each others' passwords, or figuring them out.



  • @Carnival-Boy said:

    How common is a brute force attack on AD? How would it work?

    Relatively common and yes, it works. The way that it is normally done is not through the LDAP interface but offline against a copy f the database. Most users in "complexity enforced" environments can be cracked in minutes.



  • @thanksaj said:

    @Carnival-Boy said:

    How common is a brute force attack on AD? How would it work?

    Honestly, the biggest threat is always internal. If a company doesn't have any public facing servers, the chances for an attack even being possible are slim. Having strong passwords was always most important to prevent employees from using each others' passwords, or figuring them out.

    And against password hash shipping.



  • @coliver said:

    http://imgs.xkcd.com/comics/password_strength.png

    Never got this image. Use 4 random words and now dictionary attack doesn't work?

    Also whatever happened to use scary passwords but use Lastpass or Keepass to hold all that crap passwords?



  • @technobabble said:

    @coliver said:

    http://imgs.xkcd.com/comics/password_strength.png

    Never got this image. Use 4 random words and now dictionary attack doesn't work?

    Also whatever happened to use scary passwords but use Lastpass or Keepass to hold all that crap passwords?

    LastPass isn't for everything. You can't login to Windows with LastPass. There are a lot of things you can't use LastPass for.



  • @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.



  • One day I will forget my KeePass master password and my life will be over 😞



  • @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.



  • @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.



  • @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.



  • @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.



  • @coliver said:

    @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.

    Yeah, the English language is pretty large, and always growing thanks to new words that are invented and words from other languages we just adopt. So it could very easily be trillions of possibilities.



  • Dictionaries can still be used with long passwords but they become much more complex. Things like spaces add to that. And any complexity like punctuation does too. It defeats dictionary attacks the same way that long strings always make guessing harder.

    Complexity does not impact a dictionary attack unless you are using random characters which defeats human memorization.



  • @scottalanmiller said:

    Dictionaries can still be used with long passwords but they become much more complex. Things like spaces add to that. And any complexity like punctuation does too. It defeats dictionary attacks the same way that long strings always make guessing harder.

    Complexity does not impact a dictionary attack unless you are using random characters which defeats human memorization.

    Post-It under the keyboard anyone? 😛



  • @coliver said:

    @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.

    Ah ha...well now that makes sense to me...thanks for taking the time to share!



  • @thanksaj said:

    @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.

    Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?



  • @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj said:

    @technobabble said:

    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

    Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.

    Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?

    I didn't say they did, and I wasn't arguing with you. If you want to do that, go right ahead. I have no issue with it, and you're welcome to do it that way if you want.



  • One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.



  • @Carnival-Boy said:

    One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.

    ROFL! Yeah, probably...



  • Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).

    Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..



  • @g.jacobse said:

    Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).

    This is just another way of stating that people need to drop the complexity. The assumption is that without the need for complexity, passphrases become easy. This has been the standard answer for security professionals for over a decade. When we say "no complexity requirements" we also assume "good end user training" and that should always teach people to use phases, not words.


Log in to reply