Domain logon passwords

goodlad · 19-10-2009 10:53am #1

Hey people,

Hopefully you guys will have some ideas.

Im sick of users on the network recycling passwords by just changing one character.

I have complex passwords enabled in via group policy but its not really enough.
Yes that makes the password complex but now users just have ****ty passwords like Ir€land1 , then next week its Ir€land2 etc....

Is there any way i can stop this? Whether its by settings in group policy or by some additional software.

Jumpy · 19-10-2009 11:08am

Thats moving into another level of complexity again. I assume you want something that wont cost you money, but if are looking to improve network security then rather than making passwords stronger than complex, maybe look at multi-factor authentication.

goodlad · 19-10-2009 11:10am

Well im not against paying for something to do this, well unless it cost a crazy amount.

I will take a look into multi-factor authentication now.
Cheers

Martyr · 19-10-2009 3:31pm

think microsofts own password filter already covers this issue as a GPO with enforce password history option?

it should work anyway..

smog · 19-10-2009 3:34pm

the more you "force" users to change passwords the more they will potential write it down .. therefore acting less secure.

Martyr · 19-10-2009 3:54pm

well, i don't think either of us can speculate on whether every user will write their password down or not.

i could say giving anyone access to a computer or network is "less secure"

but i suppose MFA would be nice solution, just not sure it's the cheapest option.

probe · 19-10-2009 6:14pm

goodlad wrote: »

Well im not against paying for something to do this, well unless it cost a crazy amount.

I will take a look into multi-factor authentication now.
Cheers

Check out http://www.yubico.com

Yubikey is a tiny USB key (no battery to replace) that squits a long code that changes every time it is used. It appears to the software as keyboard entered data. Small. Simple.

goodlad · 20-10-2009 7:09am

Martyr wrote: »

think microsofts own password filter already covers this issue as a GPO with enforce password history option?

it should work anyway..

All that does is remember exact passwords, so it wont stop anyone just changing one character when its time to pick a new password.

goodlad · 20-10-2009 7:10am

probe wrote: »

Check out http://www.yubico.com

Yubikey is a tiny USB key (no battery to replace) that squits a long code that changes every time it is used. It appears to the software as keyboard entered data. Small. Simple.

Thanks, I will check that out

Martyr · 20-10-2009 11:50am

goodlad wrote:

All that does is remember exact passwords, so it wont stop anyone just changing one character when its time to pick a new password.

There are some password filters you can buy, there may be some free which you could modify for your purposes.

With enforce password history enabled, you could obtain a list of previous passwords using SamIGetPrivateData() specifying NTPASSWORDHISTORY or LMPASSWORDHISTORY (if you have LM hash supported)

SamrQueryInformationUser() also has an option i believe.

Compare the new password with old values and reject if similar -- don't know why windows doesn't do this already, would be useful.

Domain logon passwords

Comments