locked
Default Vail Password Policy - what does the community want? RRS feed

  • Question

  • Hi Folks,
     
    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity
     
     
    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols
     
    The question I want to discuss here is what should the default be for Vail?
    We are discussing the default to be (1) or (3) internally.
     
    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).
     
    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen the
    requirements.
     
    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into this
    decision (such as security team reviews etc), so even if the consensus here
    is one way, we may still end up going another.
     
    Thanks for helping shape Vail!
    Sean
     
    This post is "AS IS" and confers no rights.
     
     
    Thursday, June 3, 2010 6:30 PM
    Moderator

All replies

  • I agree with 1. The casual user will have weak passwords on their client
    computers and would not understand the need for a complex password on their WHS
    box.
     
    The only real issue here is if they manage to turn on remote access and have a
    weak password. Then a dictionary attack would be easy if someone were not able
    to guess the password.
     
     
     
     
     
    On Thu, 3 Jun 2010 18:30:26 +0000, Sean Daniel - MSFT wrote:
     
    >Hi Folks, Looking for a point of input here, so I'm starting a discussion. As you know there is no password policy in the current version of Vail, that's coming in the next beta. Internally we've been discussing the defaults. We are planning on offering 4 different policies to choose from (1) Any non-blank password required (2) Any 5 length password required (3) Any 5 length password with 3 levels of complexity (4) Any 7 length password with 3 levels of complexity Two points of note are - Vail passwords will never expire (there is a bug in your current build) - Complexity requires one of 3 items below, and cannot contain the username or words from the dictionary - upper case - lower case - numbers - symbols The question I want to discuss here is what should the default be for Vail? We are discussing the default to be (1) or (3) internally. We are thinking of going with (1) because this is similar to what Windows client does. (although they also allow a blank password with
    >no "off-box" connectivity for that user, which we can't do because we're all about off box connectivity). We are also thinking of going with (3) because we believe in strong passwords, and we feel that the weakest point of the security in the system is the password. We want to educate the user that the recommended settings are to use a strong password, and let the user make a decision to lessen the requirements. We'd love to hear your thoughts here on the two policies and which one you think should be defaulted. There are additional factors that play into this decision (such as security team reviews etc), so even if the consensus here is one way, we may still end up going another. Thanks for helping shape Vail! Sean This post is "AS IS" and confers no rights.
     

    Barb Bowman

    http://www.digitalmediaphile.com

    Thursday, June 3, 2010 6:55 PM
  • I also agree, that several users don't care very much about passwords in their home network and tend even to use none.
    So 1 is ok.
    And while we are telling about complex passwords - is Password1 really secure, even if it would fit well under 4? (This is the style of passwords many users are using in my company counting up only the digits, if the password is expired after a period of time and complexity is enforced.)

    Best greetings from Germany
    Olaf

    Thursday, June 3, 2010 7:42 PM
    Moderator
  • I believe that the "general" public will only be able to work with (1), just my feeling with trying to train people for "weakest point of the security" as you stated.
     
    I prefer (4) but use (3) often. It is a training issue and I am constantly pushing this with everyone. The article that went around about "shifting one key" to the right is a good example of what you can do. You can use relative easy passwords to remember and make them complex.
     
    As in v1 with Remote Access, the people that have access to this material are (4) if the want to access to my WHS.
     
    --
    Don
    Hi Folks,
     
    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity
     
     
    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols
     
    The question I want to discuss here is what should the default be for Vail?
    We are discussing the default to be (1) or (3) internally.
     
    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).
     
    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen the
    requirements.
     
    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into this
    decision (such as security team reviews etc), so even if the consensus here
    is one way, we may still end up going another.
     
    Thanks for helping shape Vail!
    Sean
     
    This post is "AS IS" and confers no rights.
     
     
    Thursday, June 3, 2010 9:48 PM
  • I think the "default" should be 3.  I also think there should also be the option of sliding it down or up.  Personally, I use 4 levels of complexity and 16 length.  Will allow 8 length to be repeated to make 16.
     
    Also, would like the capability to use smart cards and readers to log on and the ability to choose the normal method of logging on or smart card for authentication or either for individual users.  Maybe this already exists, but I haven't found it yet.

    --
    ______________
    BullDawg
    Associate Expert
    In God We Trust
    ______________
     
    Hi Folks,
     
    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity
     
     
    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols
     
    The question I want to discuss here is what should the default be for Vail?
    We are discussing the default to be (1) or (3) internally.
     
    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).
     
    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen the
    requirements.
     
    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into this
    decision (such as security team reviews etc), so even if the consensus here
    is one way, we may still end up going another.
     
    Thanks for helping shape Vail!
    Sean
     
    This post is "AS IS" and confers no rights.
     
     

    BullDawg
    Thursday, June 3, 2010 9:57 PM
  • While personally using option 4, a reasonable user default would be option 3.

    For the administrator or anyone with remote administration access option 4 should be a requirement.

    Options 1 and 2 are simply too weak. But I changing option 2 to include 2 levels of complexity would at least give a slightly improved password without hopefully alienating people that do not want to change.

    As mentioned above in an earlier reply, it is not that hard to make memorable but difficult passwords. It's really all about educating users as to the vunerability of their system if weak passwords are in use.

    My 2 cents worth.

    • Edited by frogz1 Thursday, June 3, 2010 11:22 PM typo
    Thursday, June 3, 2010 11:21 PM
  • For use on the LAN, policy 1 would be fine. For Remote Access, policy 3 or 4 should be required, preferably 4.

    If there's going to be a single global policy, policy 3 or 4, because it's going to be used for Remote Access.

    Personally, where I'm allowed I use a passphrase, which is the first sentence from page 106 of my favorite book. It's vastly more secure than 8 characters/3 of 4 character groups, so much so that expiration isn't a problem. My favorite book, BTW, is not famous. It's quite obscure, and it's non-fiction. :) If I'm not allowed a non-changing passphrase, I use an 8+ character randomly generated password, 4 of 4 character groups. It usually takes me a day or so to memorize the new one when I have to change it.

    Olaf also makes a good point about the real complexity of passwords. Most people only change their password when forced, they give it out when asked, and they use something they will never forget, which is usually easy to guess.

    Also, even though I don't need it, I think Microsoft should provide a way to plug a third party security provider into at least the Remote Access web site, so those who are sufficiently paranoid can use something like an RSA token.


    I'm not on the WHS team, I just post a lot. :)
    Thursday, June 3, 2010 11:54 PM
    Moderator
  • If I had my choice it would be 4+ (at least 8 characters, three
    complexities). I'm actually fine with #1, AS LONG AS REMOTE ACCESS IS
    DISABLED. Enabling remote access should require at least #3, and I would be
    happier if it required #4.

    Charlie.
    http://msmvps.com/blogs/russel




    "Sean Daniel - MSFT" wrote in message
    news:2a81f318-65e0-47e6-8ad9-ac3115e8d658@communitybridge.codeplex.com...

    Hi Folks,

    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity


    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the
    username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols

    The question I want to discuss here is what should the default be for
    Vail?
    We are discussing the default to be (1) or (3) internally.

    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).

    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the
    system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen
    the
    requirements.

    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into
    this
    decision (such as security team reviews etc), so even if the consensus
    here
    is one way, we may still end up going another.

    Thanks for helping shape Vail!
    Sean

    This post is "AS IS" and confers no rights.



    Charlie. http://msmvps.com/blogs/russel
    Friday, June 4, 2010 4:47 AM
    Moderator
  • On Thu, 3 Jun 2010 21:57:13 +0000, BullDawg wrote:

    Also, would like the capability to use smart cards and readers to log on and the ability to choose the normal method of logging on or smart card for authentication or either for individual users.? Maybe this already exists, but I haven't found it yet.
    Smart cards are well beyond the abilities of the target audience for this
    product. Additionally, in the Windows security world, smart card logon
    requires Kerberos for authentication, which in turn requires Active
    Directory so for Windows Home Server this is a total non-starter.

    -- Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca


    Paul Adare CTO IdentIT Inc. ILM MVP
    Friday, June 4, 2010 6:37 AM
  • I agree with most here. Option 1 for LAN will be much more manageable for users; but 3 or 4 for remote access

     

    S

    Friday, June 4, 2010 8:16 AM
  • yup
     
    On Fri, 4 Jun 2010 04:47:26 +0000, Charlie Russel - MVP wrote:
     
    >If I had my choice it would be 4+ (at least 8 characters, three
    >complexities). I'm actually fine with #1, AS LONG AS REMOTE ACCESS IS
    >DISABLED. Enabling remote access should require at least #3, and I would be
    >happier if it required #4.
    >
    >Charlie.
    >
    >
    >
    >
    >"Sean Daniel - MSFT" wrote in message
    >news:2a81f318-65e0-47e6-8ad9-ac3115e8d658@communitybridge.codeplex.com...
    >Hi Folks,
    >
    >Looking for a point of input here, so I'm starting a discussion. As you
    >know there is no password policy in the current version of Vail, that's
    >coming in the next beta. Internally we've been discussing the defaults. We
    >are planning on offering 4 different policies to choose from
    >(1) Any non-blank password required
    >(2) Any 5 length password required
    >(3) Any 5 length password with 3 levels of complexity
    >(4) Any 7 length password with 3 levels of complexity
    >
    >
    >Two points of note are
    >- Vail passwords will never expire (there is a bug in your current build)
    >- Complexity requires one of 3 items below, and cannot contain the
    >username
    >or words from the dictionary
    >- upper case
    >- lower case
    >- numbers
    >- symbols
    >
    >The question I want to discuss here is what should the default be for
    >Vail?
    >We are discussing the default to be (1) or (3) internally.
    >
    >We are thinking of going with (1) because this is similar to what Windows
    >client does. (although they also allow a blank password with no "off-box"
    >connectivity for that user, which we can't do because we're all about off
    >box connectivity).
    >
    >We are also thinking of going with (3) because we believe in strong
    >passwords, and we feel that the weakest point of the security in the
    >system
    >is the password. We want to educate the user that the recommended settings
    >are to use a strong password, and let the user make a decision to lessen
    >the
    >requirements.
    >
    >We'd love to hear your thoughts here on the two policies and which one you
    >think should be defaulted. There are additional factors that play into
    >this
    >decision (such as security team reviews etc), so even if the consensus
    >here
    >is one way, we may still end up going another.
    >
    >Thanks for helping shape Vail!
    >Sean
    >
    >This post is "AS IS" and confers no rights.
    >
    >
    >
     

    Barb Bowman

    http://www.digitalmediaphile.com

    Friday, June 4, 2010 9:42 AM
  • I believe 1 without Remote Access, but 3 if Remote Access is used.
     
    --
     
     
    Walter B
     
     
     

    Walter B
    Friday, June 4, 2010 1:28 PM
  • For the general user I, like most others have suggested, would recommend Option 1 for LAN but Option 4 for remote access. Personally I use 4 levels of complexity with a 15 character password (or longer if it's protecting my passwords!).

    Phil
    Friday, June 4, 2010 1:35 PM
  • ..double yup!  :)

    Art (artfudd) Folden
    ~~~~~~~~~~~~~~~~
    "Barb Bowman" wrote in message news:54f5ccdf-1a56-42a6-a110-163fa79ee39c@communitybridge.codeplex.com...

    yup

    On Fri, 4 Jun 2010 04:47:26 +0000, Charlie Russel - MVP wrote:

    If I had my choice it would be 4+ (at least 8 characters, three
    complexities). I'm actually fine with #1, AS LONG AS REMOTE ACCESS IS
    DISABLED. Enabling remote access should require at least #3, and I would be
    happier if it required #4.

    Charlie.
    http://msmvps.com/blogs/russel


    "Sean Daniel - MSFT" wrote in message
    news:2a81f318-65e0-47e6-8ad9-ac3115e8d658@communitybridge.codeplex.com...
    Hi Folks,

    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity


    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the
    username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols

    The question I want to discuss here is what should the default be for
    Vail?
    We are discussing the default to be (1) or (3) internally.

    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).

    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the
    system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen
    the
    requirements.

    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into
    this
    decision (such as security team reviews etc), so even if the consensus
    here
    is one way, we may still end up going another.

    Thanks for helping shape Vail!
    Sean

    This post is "AS IS" and confers no rights.

    Charlie. http://msmvps.com/blogs/russel

    -- Barb Bowman

    http://www.digitalmediaphile.com

    Friday, June 4, 2010 6:42 PM
  • The question I want to discuss here is what should the default be for Vail?
    We are discussing the default to be (1) or (3) internally.

     

    As WHS is all about keeping your data "safe" on centralized storage I think secure passwords definitely should be enforced by default for remote access. We do no want the server being hacked leaking personal information or leaving only formatted data drives.... Just making sure to clearly state the "why" in the users "Getting  Started" documentation will help acceptance of secure passwords for remote access to most users.

    For LAN access users may want to use "normal" Windows Client passwords. This should be OK for general usage in a Home Network.
    Again, educate the user on better securety on the local LAN by using more secure passwords.

    So I would go for policy level 3 by default for user accounts with remote access enabled.
    For other accounts policy 1 probably would be the best choice.

    - Theo.

    PS - Personally I would love to see Ken's suggestion to enable third party security providers to integrate with WHS.

     

     


    No home server like Home Server
    Friday, June 4, 2010 10:06 PM
    Moderator
  • Hi Folks,
     
    Looking for a point of input here, so I'm starting a discussion. As you
    know there is no password policy in the current version of Vail, that's
    coming in the next beta. Internally we've been discussing the defaults. We
    are planning on offering 4 different policies to choose from
    (1) Any non-blank password required
    (2) Any 5 length password required
    (3) Any 5 length password with 3 levels of complexity
    (4) Any 7 length password with 3 levels of complexity
     
     
    Two points of note are
    - Vail passwords will never expire (there is a bug in your current build)
    - Complexity requires one of 3 items below, and cannot contain the username
    or words from the dictionary
    - upper case
    - lower case
    - numbers
    - symbols
     
    The question I want to discuss here is what should the default be for Vail?
    We are discussing the default to be (1) or (3) internally.
     
    We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).
     
    We are also thinking of going with (3) because we believe in strong
    passwords, and we feel that the weakest point of the security in the system
    is the password. We want to educate the user that the recommended settings
    are to use a strong password, and let the user make a decision to lessen the
    requirements.
     
    We'd love to hear your thoughts here on the two policies and which one you
    think should be defaulted. There are additional factors that play into this
    decision (such as security team reviews etc), so even if the consensus here
    is one way, we may still end up going another.
     
    Thanks for helping shape Vail!
    Sean
     
    This post is "AS IS" and confers no rights.
     
     
    I think the default setting should be 4 (which, if I remember correctly, is what v1 is as well, although it's been some time since I last installed v1 so I could be wrong).  But, as BullDawg said, the setting should be adjustable (at least for local access, much as v1 is now).
    Saturday, June 5, 2010 9:51 PM
    Moderator
  • I have a two part password for remote access.  Lets say I'm at my parents house using their computer that I know is up to date with AV/Firewall/Windows Update.  I'll use a user name that has full read/write access to my server.  This user name and password is a #4.   On the other hand, if I'm at an old friends house and his computer is looking a little shady,  I'll log in using a less secure username and password that has only read access and no remote desktop.  This hopefully protects me from malware that can steal your password no matter how long or complex it is. 

     

    One question I have is: as long as I don't publicly post my home server web address, who can find it?

    Sunday, June 6, 2010 5:21 AM
  • One question I have is: as long as I don't publicly post my home server web address, who can find it?

    Anybody who takes the time to do a port scan on public IP addresses and hits your IP address can find you. So basically the answer to your question is "There is no security through obscurity" because the world can find you at any moment. My logs show that my server gets about 30-50 port scans a day..., and I haven't published my vanity URL...
    I'm not on the WHS team, I just post a lot. :)
    Sunday, June 6, 2010 12:43 PM
    Moderator
  • Forcing ANY policy on the general public is not good.  While I cringe at users who use weak passwords you just can't force someone who you are not associated with, especially customers of a retail product to do something that is truely NOT a requirement.  (No it's not a requirement.  Smart, but not required)  At worst, option 1 should be used.  Do not consider 2, 3 or 4.  Though asking the question with 3 or 4 as the default would at least give a good recommendation to those less smart on this subject.

    You CAN'T force end users outside of those you govern under some other agreement to follow your own personal preferences.  You HAVE to make it as flexible as possible.  Though strongly suggesting the considered best usage is always a very good path to take.

    Saturday, July 24, 2010 8:37 PM
  • Forcing ANY policy on the general public is not good.  While I cringe at users who use weak passwords you just can't force someone who you are not associated with, especially customers of a retail product to do something that is truely NOT a requirement.  (No it's not a requirement.  Smart, but not required)  At worst, option 1 should be used.  Do not consider 2, 3 or 4.  Though asking the question with 3 or 4 as the default would at least give a good recommendation to those less smart on this subject.

    You CAN'T force end users outside of those you govern under some other agreement to follow your own personal preferences.  You HAVE to make it as flexible as possible.  Though strongly suggesting the considered best usage is always a very good path to take.

    Please re-read Sean's post.  He's asking about the default policy, not the only policy.
    Saturday, July 24, 2010 9:55 PM
    Moderator
  • 1 for LAN, 4 for admins and remote.  I don't see the need for options 2 and 3 at all.  Less is more :)

    Do you have the ability to restrict HomeGroup passwords from Vail?  (hopefully the core Windows team has already exposed it as a GPO or similar)  If so, that's another area you need to consider locking down with sane defaults.

    Sunday, July 25, 2010 12:43 AM
  • I agree that 1 would probably be sufficient for LAN use, although I would prefer 3 myself.

    I know my family have moaned about complex passwords in the past, even when I have tried to educate them on simple security measures.

    For Remote Access then 3 should most definitely be enforced, perhaps even 4.

    Sunday, July 25, 2010 3:01 PM
  • Myself 4 is fine for Vail.

    My preference is to be able to use the same PW for all Vail log-on's so I would vote using 4 for all Vail PW.

    Tuesday, July 27, 2010 2:29 AM
  • Please re-read Sean's post.  He's asking about the default policy, not the only policy.
    Please re-read my post.  default policies usually end up being the final policy on most systems no matter what.  That's obvious.
    Saturday, July 31, 2010 2:21 AM
  • Please re-read my post.  default policies usually end up being the final policy on most systems no matter what.  That's obvious.
    I read your post.  MS is not "forcing" (your word, not mine) any policy on anyone.  If a user wants to change it, they can.  If they decide not to, that's their choice.
    Saturday, July 31, 2010 3:53 AM
    Moderator
  •  We are thinking of going with (1) because this is similar to what Windows
    client does. (although they also allow a blank password with no "off-box"
    connectivity for that user, which we can't do because we're all about off
    box connectivity).

    I can't see any need for a discussion. You're not about to allow a whole pack of Server buyers to arrive at URL.homeserver.com with trivial passwords are you?

    Default passwords to level 3 and let people turn down a slider if they insist on using "meg" for a net exposed login at their own risk.

    Saturday, July 31, 2010 2:22 PM
  • I as a Network Admin with the GOVT/VA would always go with option #4, but we're not in the VA-GOVT here...

    Option three is the minimum I would consider; is there any way to make this part of initial-first "configuring" of the server manager when logging into Vail/Home server the first time? Having them setup certain things within Server Manager and the (default password policy) be part/one of them, or-perhaps the first time you run Dashboard?

    Jeff Schade - http://www.jeffschade.com

    Microsoft Beta Tester, addicted for 15 years now! 

    Monday, October 25, 2010 4:47 AM