|
Posted by Roger Abell [MVP] on January 22, 2008, 10:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
It is highly likely your users need to be informed accurately,
but that you do not have a full grasp on the complexity rules.
What do you think they are? In addition to length and change
frequency (separate settings) the complexity requirements are
not just use of 3 of the 4 character sets, but also one cannot
include user name (and there are the other settings controlling
reuse of passwords).
Keep in mind that the existing complexity rules are close to
meaningless, as such as 1Password! will pass but will get
discovered in a rainbow table attempt in very little time.
Perhaps you should not just inform your users of the minimum
to meet the complexity rules, but also advise them on what
makes for a good password (ex. a long phrase).
Roger
> We are getting ready to implement complex passwords in our domain. I've
> done
> some testing and it seems there are times when even though I'm meeting all
> of
> the complex passwords requirements, it will still not accept my new
> password.
> I'm curious if by implementing more complex passwords, there is also a
> requirement that the passwords can not be easily subjected to dictionary
> lookups? I haven't been able to find anything that talks about this so I
> was
> just wondering if it's something I need to warn my users about.
| 
XML site map