Enforcing Stronger Passwords
Microsoft's password complexity filter: what's wrong with it and why you might need something better.
- By Bill Boswell
Is there a way to change the default password complexity
filter in Windows 2000 or Windows 2003? We just did a sweep of our user
passwords with a password cracker and found that lots of our users had
passwords that were easy to discover even though we enforce six-character
—An MCSE in Phoenix
Phoenix MCSE: Okay, so let’s start at the 20 yard
line and talk about passwords and why password complexity is important
before discussing what’s wrong with the Microsoft complexity filter.
First of all, Windows does not store a user’s password, as you probably
know. It stores an MD4 (Message Digest) hash of the password (and a DES
hash for backward compatibility with Windows 9x clients.) The MD4 algorithm
slices and dices the password in such a way that the input cannot be derived
directly from an analysis of the output.
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:firstname.lastname@example.org;
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
The MD4 algorithm is well known, so a password cracking program simply
builds a database of hashed passwords and compares those hashes, one by
one, to a password hash either taken directly from Active Directory or
derived from a sniff of a challenge-response authentication transaction.
(The password hash is not transmitted on the network during a challenge-response,
but the challenge is available in clear text, so it’s fairly simple
to derive the value of the hash based on the reply sent by the client
in response to the challenge. Kerberos avoids this vulnerability by not
transmitting a challenge. It transmits a timestamp encrypted with a hash
derived from the user’s password hash. The attacker would have to
know the precise timestamp to derive the password hash.)
Windows passwords are particularly susceptible to precompiled hash attacks
because the domain controllers do not “salt” the passwords with
a random number as Unix systems do.
Okay, so that makes a dictionary attack of a Windows password fairly
straightforward. What about “strong” passwords, though? Most
of us use the Windows password filter to force our users to select passwords
that meet these criteria:
- At least once change from upper to lower case
- At least one numeral or special character
- Cannot contain the user’s logon name
- Cannot contain portions of the user’s name
Based on the complexity filter, a password of Orange7 would be acceptable
as long as the user’s name isn’t John Orange. (I’ll talk
about password length in just a minute.)
A password cracker would find a match for the hash of Orange7 very quickly,
though. Adding a special character to the end of a word doesn’t fool
the cracker. The cracker simply runs through the precompiled dictionary
words and tacks a single special character onto the beginning then at
the end. It then does the same for two special characters, then three.
So, you don’t get a strong password by putting complexity at the
beginning or end of a password. The special characters have to go in the
Also, as long as you store old-style LanMan hashes in Active Directory,
the change of case in the password is useless for deterring password crackers
because LanMan passwords are converted to upper case before hashing. So,
although an NT password might be considered “strong” if it looked
like this PaSsWoRd$, the resulting LanMan password would be PASSWORD$,
a fairly simple item to crack.
You won’t get acceptable password complexity until you rid yourself
of legacy LanMan password hashes, which requires purging all Win9x machines
from your network or installing the DSClient patch on them and hacking
the Registry on each client machine. See Microsoft Knowledge Base article
to Enable NTLM 2 Authentication."
As far as enforcing a six-character password length, that’s not
long enough of a password. Even if you force your users to put special
characters in the middle of their passwords and purge LanMan password
hashes, it would still not take all that long to crack a six-character
password using brute force. Even if you force users to change their passwords
every 30 days to foil the cracker, users simply select a base pattern
and only change the special character or numeral at the end: Orange7 ->
Orange8 -> Orange9 and so forth.
So, if you want to have passwords that can withstand a moderately sophisticated
cracking application, you need at least eight character passwords
(10 is better) with special characters in the middle of the password and
no patterns when changing passwords. With all that in mind, the complexity
filter in Windows just doesn’t cut it. You may want to take a look
at the Password Policy Enforcer from Anixis (www.anixis.com)
or some other third-party tool for enforcing more robust complexity. You
should also start thinking about deploying a two-factor logon such as
a smart card, smart token, or biometrics.
If you have a recommendation for a better complexity filter, or you have
techniques for encouraging users to select strong passwords, pass them
along to me and I’ll print them in an upcoming column.
Hope this helps.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.