Maximum password length
-
Does anyone know if it's possible to increase the maximum password length for user accounts on NT to more than 14 characters?
-
Does anyone know if it's possible to increase the maximum password length for user accounts on NT to more than 14 characters?
You really want to make it hell to log in for your users, don't you? ;) Anyway, I don't think it is possible. NT acutually keeps two separate hashes: LanMan hash and NT hash. I guess the limitation is in the LM hash. LM breaks the password into two 7-byte chunks, that are separatly checked against the SAM. For that reason, the first seven characters should not be "related" to the next seven. For example, "QWERTYQWERTY" is broken into "QWERTYQ" and "WERTY__", and if a hacker finds eiter one guessing the whole password is rather easy. You could also place a non-printable chars in both halves to make it harder to guess, like '(NUM LOCK) ALT-255'. Hope this helps /moliate
-
You really want to make it hell to log in for your users, don't you? ;) Anyway, I don't think it is possible. NT acutually keeps two separate hashes: LanMan hash and NT hash. I guess the limitation is in the LM hash. LM breaks the password into two 7-byte chunks, that are separatly checked against the SAM. For that reason, the first seven characters should not be "related" to the next seven. For example, "QWERTYQWERTY" is broken into "QWERTYQ" and "WERTY__", and if a hacker finds eiter one guessing the whole password is rather easy. You could also place a non-printable chars in both halves to make it harder to guess, like '(NUM LOCK) ALT-255'. Hope this helps /moliate
moliate wrote: You really want to make it hell to log in for your users, don't you? I said the maximum, not the minimum. The reason is that I find it much easier to choose passwords from random phonemes via a Markov chain rather than by choosing random characters. 10 random elements from a third-order Markov chain must have several dozen characters to achieve the same entropy as 10 random alphanumeric/symbol characters, but can be more easily remembered because it can be pronounced with sounds consistent with the user's native language. Those who want to use this system for choosing truly random passwords find that the time it takes to type in 30 characters is significantly less than the time it takes to look up an 8-character password in a secure password-storage device. Thanks for the explanation of the NT password mechanism. I may need to accelerate the move to all-Win2K systems just because of this security problem!
-
moliate wrote: You really want to make it hell to log in for your users, don't you? I said the maximum, not the minimum. The reason is that I find it much easier to choose passwords from random phonemes via a Markov chain rather than by choosing random characters. 10 random elements from a third-order Markov chain must have several dozen characters to achieve the same entropy as 10 random alphanumeric/symbol characters, but can be more easily remembered because it can be pronounced with sounds consistent with the user's native language. Those who want to use this system for choosing truly random passwords find that the time it takes to type in 30 characters is significantly less than the time it takes to look up an 8-character password in a secure password-storage device. Thanks for the explanation of the NT password mechanism. I may need to accelerate the move to all-Win2K systems just because of this security problem!
Ops. Sorry about the misreading.. Anyway, I think Microsoft has provided some kind of Hotfix to turn LM authorization off if you don't need it. Check the sequrity site for that. Still don't know if there is a way to increase password length.. /moliate /moliate