Configuring password complexity in Windows and Active Directory


You should keep this in mind if you choose this option and make sure a hotline is available for emergency password changes.

Password complexity requirements -- incorporates a number of requirements that are configured separately on Linux and Solaris systems. If this setting is enabled -- as it is by default, passwords must be at least six characters long and must contain characters from three of the following: uppercase characters, lowercase characters, digits (0-9), special characters (e.g.,!, #, $), and unicode characters. In addition, the password must not contain more than two characters from the username (provided the username is three or more characters long).

Minimum password length -- how many characters must be included in users' passwords. While this defaults to 7, something between 8 and 12 is a better choice. Your users are likely to balk at having to remember an additional four characters, so be ready to offer some suggestions on how to make longer passwords memorable, such as adding a couple digits to each end, prepending passwords with their best friend's birthday (e.g., 0323) or setting passwords to be a short phrase like "want2goHome!". Remind them that writing down their passwords is always a very bad idea, but writing down something that reminds them of their passwords might be OK, especially if they don't make it obvious that it's a password that they're trying to remember.

Account lockout duration -- how many minutes a locked-out accounts remains locked out before becoming unlocked. If set to 0, however, a password remains locked until an admin (someone authorized to make these kind of changes) unlocks it. This setting is dependent, however, on the account lockout threshold. In other words, if you don't specify that accounts will be locked after some number of failed attempts to log in, there's no significance to specifying how long they'll be locked.

Account lockout threshold -- the number of consecutive failed login attempts that will cause an account to be locked. If set to 0 (the default), accounts are never locked.
The only drawback of the account lockout threshold setting is that it makes it possible for a user to lock out some other user's account.

Reset account lockout counter after -- how many minutes must elapse before a lockout counter is reset to 0 (i.e., the account is unlocked). This can range from 1 minute to 99,999. It must be less than or equal to the account lockout duration.

Enforce user logon restrictions -- whether the Kerberos Key Distribution Center validates every request for a session ticket against the user rights policy on a particular computer.

Maximum lifetime for service ticket -- maximum time that a session ticket can be used. This means that the authentication system underlying Windows (Kerberos) must revalidate a connection at the specified interval.

Photo Credit: 

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question