http://msmvps.com/blogs/bradley/archive/2005/01/24/33789.aspxConfigure Password Policies Using strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users areenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/bradley/archive/2005/01/24/33789.aspx#66697Fri, 16 Sep 2005 18:01:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:66697TrackBack<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=66697" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/01/24/33789.aspx#33828Tue, 25 Jan 2005 17:50:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:33828bradleyDon't be misled by anyone who suggests that the basic requirements of a strong password or using passphrases is going to prevent you from being cracked. <br> <br>The main reason why people are cracked quickly and particularly over a network connection is because they're PREDICTABLE. <br> <br>Yes. <br>If MS says for you to do something, it might get you past the point of being stupidly crackable, but it will still make you PREDICTABLE. <br>If I tell you to do something, if the cracker has foreknowledge of that information, it makes you PREDICTABLE. <br>If you construct your password like 99% of the rest of the world, you're PREDICTABLE. <br>If you use a default password, you're PREDICTABLE. <br>If you use a password which is used so often it's in a cracker's dictionary, you're PREDICTABLE. <br> <br>So why does a hacker depend on predictableness? Because it means that he doesn't have to try every possibility. Because it means that he can throw out the 16 million or more possibilities of a &quot;Strong Password&quot; and crack your password within a few hundred or thousand tries by simply applying some rules based on PREDICTABILITY. <br> <br>Why a Passphrase can suck and Strong Passwords aren't always so strong would take more than I'll want to post to a Blog, but if you make passwords according to the following you'll probably be plenty resistent to cracking <br> <br>- Longer than 15 characters. Better yet, longer than 23. <br>- At least 2 of the 4 categories. 3 is not really critical, but can help and everything helps especially if the password doesn't change often or is critically important. <br>- Use at least one non-romantic language word. Know Russian? Arabic? Hebrew? Thai? Good stuff to include in a &lt;long&gt; password. <br>- Don't reference any information about you or your business such as addresses, dates, phone numbers, SSIDs, driver's licenses, hobbies and more. Although those might not be tried by an wide-ranging attack, all those items are easily discovered on the Internet and can be added to a cracker's dictionary if he's intent on just cracking &lt;you&gt;. <br> <br>And, implement good password policy: <br>Change Passwords often. 42 days should be considered minimally sufficient. Monthly or better is &lt;very&gt; much prefered if your Users can tolerate it. <br>Impose good History. Especially if your password effectiveness is long, make sure they're not used, maybe in the same year. <br>&quot;Three Strikes and you're Out!&quot; - Don't let crackers hammer on you all day long. Limit consecutive failures before enforcing a timeout. I know a couple businesses who won't even tolerate one failure before lockout. <br> <br>Tony <br> <br> <br> <br> <br> <br> <br><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=33828" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/01/24/33789.aspx#33799Tue, 25 Jan 2005 09:44:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:33799TrackBack<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=33799" width="1" height="1">