Changing password length

0 pts.
Tags:
Security
We are moving from a max password length of 10 which is not case sensitive, to a max password length of 128 which is case sensitive. Is there a way to determine if any users used Upper and lower case when creating their password?
ASKED: June 16, 2006  11:59 AM
UPDATED: July 26, 2006  4:52 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

what is your OS?

If Windows: What is the currently policy for how the computer Hashes Passwords? (If someone could please explain to the forum what I mean by Hashing it’d b appreciated I just can’t think of the words.)

There are a number of programs on Sourceforge.com that’ll pull up passwords from the Windows Hash

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Stevesz
    Every OS I have worked with have policies that set the allowable length of the password as well as how it can be constructed. Set the policy according to what you have decided. Then set the policy to force a password change at whatever interval you wish. My opinion is that if you are not aware of this, you should not be messing around with such things.
    2,015 pointsBadges:
    report
  • JeffJAG
    If your QPWDLVL system value is currently at 0 or 1, all passwords on the AS/400 are stored as case insensitive. There will be no passwords that have upper and lower case chracters. When a user types in the password on an AS/400 password prompt (5250 emulation or dumb terminal, Client Access logon, etc.), it is all translated to a single case whether the user uses the SHIFT key or not(except the SHIFT key will pass the characters above the number keys - #,@,_,$). When OS/400 propagates passwords down to our Windows server on our FSIOP (also called IPCS or IXS), they come down as all lower case. Our users log on to their Windows machines using all lower case passwords and userids, and these are sent to the AS/400 when they access functions on it. If you are going to QPWDLVL 2 or 3, make sure all your other systems in your network support the long, case-sensitive passwords.
    0 pointsBadges:
    report
  • Rayj00
    You don't mention what OS you are using, but I'll guess Windows of some flavor. There is a "complex password" dll that will force complex passwords. It's called enpasflt.dll and may be available from the NSA site. This dll will require upper, lower, numbers and special characters to be included in newly created passwords. (Old password created prior to loading this dll are not affected until changed.) Microsoft also has a similar dll called passfilt.dll but I have not used it so I don't know it's criteria for password creation.
    10 pointsBadges:
    report
  • ITDefensePatrol
    As noted above, this depends on the OS. For windows, the passflt and similar is probably the best way. This invokes a rule to require users to make passwords per the policy you establish (acceptable use policies). Some of the passflt and similar DLLs don't check for everything or can be buggy. Test to see if it does what you want acceptably and that it works in your environment. For U/*/Linux, there are some variations by distribution. The parameters are similar as with Win, but configuration can vary. Also, you only stated that you would be using UPPER and lower. Your policy should also include numbers and special characters (9@). Using only UPPER and lower characters (Aa) is extremely weaker than also including numbers and special. Unless your system will only allow Aa. If that is so, then 10 characters minimum is very deficient - you will need longer passwdds. There are a couple ways to "verify" password. You could create a login script/login page that checks beyond what the passflt does. Another is to do periodic cracking (warning, get written permission), but this is tedious and problematic. A couple of other points, password strength and length are only two parameters. password min. life (how soon can be changed) and max. life (longest) should also be considered. for example, if password is 8 long (even with aA9@ construct) max life should be around 30 days. But if passwd is 15 long, it could be used for 90 days. (these are simple examples - your mileage should vary). Other factors are how many fails, time between fails, timeout on fail or adminstrator needed on fail. Also, how long is too long? There are studies that show paswd of around 14-18 is max the average brain can deal with. Teach users HOW to make good passwd - "I am the example of a master of information security" becomes the passwd 1@mAxm9l0f-MNFoSec for example. Also, you should determine if 10 is long enough for your environment (when other factors considered). The NSA had a study (by Trusted Systems?) that explained all these numbers very thoroughly as well as very simply (whew!).
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following