Annoying Windows Password Complexity

I had to change a client password last week, and when I did I find out that they are one of those who think that using the Windows Minimum Password Complexity Requirements will help them be more secure.

I already, by default, use passwords that are secure enough to defeat a casual hacker and a dictionary attack. I use passwords that have at letters with at least one symbol (basically, SHIFT-) and at least one number. I usually don’t bother mixing case because not all password systems are case sensitive (MS SQL Server, for instance, isn’t. An usually software that I write isn’t case sensitive either).

So I tried my usual fare: &krkt6505 four easy to remember letters, an easy to remember number, and tack a symbol on the beginning. PLENTY secure.

No dice. Windows Minimum Password Complexity Rules (MPCR) says, “uh-uh – not complex enough.”

Cripes. Ok, how about adding an Upper Case. &Krkt6505.

Bzzzzt!

What the…?

Ok, add another symbol and an extra digit. &Krkt65052%

Bzzzzzzzzzzzzzzzzzzzzzzzt!!!!

For crying out loud.

After a lot of trying, I find out that it requires TWO upper case letters. Now this is just dumb because it doesn’t care how many lower case letters, just so long as there are at least two upper case.

So what eventually got it?

Dig this: &AAA111

Holy cow. THAT is complex enough, but &Krzt65052% is NOT?????

I have a problem overall with password complexity. For my clients that insist on using it, I claim that they are actually LESS secure.

By making passwords THAT complex, you are almost guaranteeing that users will WRITE THEM DOWN SOMEWHERE!

And to prove it, I offer to gaurantee them that within five minutes of walking around their office, I can find one of those passwords written down somewhere.

At one of my clients, the client has mandated that the admin password be so complex that even I cannot remember it. As proof of my concept, I’m walking around with this password written down in my wallet. And to make matters much worse, it’s descriptive enough that anyone who found it would know WHO’S password it is!!!

This business of substituting certain numbers for certain letters is kinda lame because they are simple substitutions that a basic dictionary crack that took them into account would easily defeat a lot of such passwords.

Advertisements

About combatdba

I'm a production DBA at a terabyte-class SQL Server Shop
This entry was posted in S.W.A.T.. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s