Password strength / complexity

All replies

• 

  

  0

  Sign in to vote

  I set my password strength under Server Settings - Password to not require a password -  so now I can have user accounts on my home server that can access the shared folders from one of my PCs without entering a password.

   

  For any user account that has remote access enabled - a complex password is required.  But not all accounts have to have remote access enabled

  Thursday, April 19, 2007 8:26 PM
• 

  

  0

  Sign in to vote

  Same here. A work around should be to deactivate the group policy which is responsible for that. But the policy is still deactivated ?

  Could somebody please give a hint on how to 'fix' this?

   

  Bastian

   

  Edit:

  I just changed the password settings to 'weak'. But as it says there's no effect on the need for complex passwords for remote access.

   

  Thursday, April 19, 2007 8:28 PM
• 

  

  0

  Sign in to vote

  Ah it was the remote setting. Darn them. At least I can add myself into the Remote Users group manually after the password sync
  

  • Proposed as answer by NARESHK BANKER Thursday, April 12, 2012 11:25 AM

  Thursday, April 19, 2007 8:43 PM
• 

  

  0

  Sign in to vote

  Your passwords don't have to be "very" complex in order to enable Remote Access for that user.

   

  7 Characters

  Upper and lower case

  One number or special character

   

  Mypass1 is an example of a minimum complex password.

   

  Also, if you don't intend to give the users remote access, you can use less secure passwords.  They will still have LAN access to the Shared Folders.

  Thursday, April 19, 2007 10:21 PM
• 

  

  0

  Sign in to vote

  I can understand the option to have strong passwords, but there should be an option with a disclaimer to turn it off.  We all know that when we ask people to have complex passwords, all they do it write it on a post-it and put in on their monitor.  I already have a password for all my computers that has everything in it but a uppercase letter.  I don't want to have to go around and change everything.

  • Proposed as answer by NARESHK BANKER Thursday, April 12, 2012 11:25 AM

  Thursday, April 19, 2007 10:52 PM
• 

  

  0

  Sign in to vote

  Let me make a few things clear about password policies.

   

  1. You can set the policy to either of the three: Weak (0 minumim length),  Medium (5 minimum length) and Complex (7 minimum length + complexity requirement). In any case, for a user to be enabled for remote access, Complex password  is a must.

  (Please note that remote access here means accessing through the remote access website, not remotely from a PC within the home network.)

   

  2. It is not tied to group policy, so disabling that would not help.

   

  It would be terrible to allow remote connection with weak (blank or similar) passwords. It would be hacked in no time. Remember, it's your precious data that is exposed.

  Friday, April 20, 2007 12:31 AM

  Moderator
• 

  

  0

  Sign in to vote

  If the lowest setting is indeed a zero character password, doesn't this prevent access to the Shared Folders on a LAN?  Per the standard Local Security policy of blank passwords only being allowed for local Console logon?

  Friday, April 20, 2007 6:07 AM
• 

  

  0

  Sign in to vote

  These are two separate policy issues. When you access files from a share on a lan that is completely different to logging into the remote terminal, say, from Microsoft Terminal Services Client. So shared folders will be unaffected but that particular login will not be able to use MSTSC to access.

  Friday, April 20, 2007 9:50 AM
• 

  

  0

  Sign in to vote

  I guess the only annoying thing for me is the a complex password needs a uppercase letter.  It seems that complex passwords keep getting more and more complex, 1st it was 6 letters , then 8, then letters and numbers, now 8 letters, with numbers, and upper & lower case.  My job at one point also required a symbol in the password, but that did not last long with all the calls to the help desk to reset passwords because no one could remember it.
  
  Steve
  

  Friday, April 20, 2007 11:37 AM
• 

  

  0

  Sign in to vote

  The problem is that MS is still viewing password complexity as being an effective solution for security when most of the rest of the industry recognizes the inherent weaknesses. Complex passwords really only have an impact on preventing basic dictionary attacks against the user's password. These days if someone is going to take the time to do a brute force attack they're likely going to include all the typable characters in their brute force tool, not just lower+UPPER. Granted, it will take a much longer time to crack an MS complex password that a straight alpha password, but it is not even remotely close to effective as other methods.

   

  A much more effective approach is to set a policy that disregards the types of characters in the password but enforces a more significant length, thereby acknowledging the effectiveness of passphrases (Windows Server 2003 does allow this configuration via GPO). It is much more secure having users using easy to remember passphrases than hard to remember "complex" passwords. From an attack perspective, the passphrase "Good morning, computer" is much more secure than the password "C&alp!19". This is not slightly more secure, mind you. Against a brute force attack you need to think in terms of numbers like 1.8368401145779437322924057610862e+17262 times more effective.

  Friday, April 20, 2007 12:22 PM
• 

  

  0

  Sign in to vote

  Doug,

   

  At the Weak policy setting, the policy is updated to allow access to Shared Folders. So, the local sharing on the home network should be unaffected with 0 character password.

  Friday, April 20, 2007 1:18 PM

  Moderator
• 

  

  0

  Sign in to vote

  Nitpick,

   

  Thanks for your comment. I agree with most of it. The basic problem we were trying to solve is not users like you and me (fully aware of the complexities of password and the ease in cracking them) setting a password that we think is is secure (may not agree with WHSdefinition of secure password), but the significant portion of home users inadvertantly enabling remote access for their local user accounts with blank (or close to blank) password (just becasue they had blank password on their machines all these years for ease of loggin in). It is much harder to make them realize that the account is now no longer within the boundaries of your home network, but is exposed to the outside world and is at the mercy of anybody who has some spare time with them. So for such users, leaving that hole could prove to be disastrous compared to the annoyance of having to remember a complex password.

  Friday, April 20, 2007 1:36 PM

  Moderator
• 

  

  0

  Sign in to vote

  Yea I discovered it's not policy, because I wanted to set the administrator password on my WHS box to match the administrator password on my 3 Win2003 servers and my 2 laptops, and I wasn't allowed. It's plenty strong, believe me, it just doesn't have a number or capital letter. it does have 3 punctuation marks though.

   

  So I'm still a bit annoyed.

  Friday, April 20, 2007 3:32 PM
• 

  

  1

  Sign in to vote

  blowdart said:

  Yea I discovered it's not policy, because I wanted to set the administrator password on my WHS box to match the administrator password on my 3 Win2003 servers and my 2 laptops, and I wasn't allowed. It's plenty strong, believe me, it just doesn't have a number or capital letter. it does have 3 punctuation marks though.

   

  So I'm still a bit annoyed.

  
  
  I found a solution to this password issue -- allowing you to set whatever password you like, yet have full remote access.
  
  It requires one simple registry change.
  
  First, set your password to whatever you like.  Don't bother trying to enable the remote access feature yet.
  
  Then in the Registry Editor (regedit.exe), go to the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Home Server\User Manager\Users".
  
  Select the key name that matches the user name you want to allow remote access for.  Then, change the PwdStrength value to 3.  That's it!
  
  This trick makes WHS think you have a complex password, so the next time you edit the user settings, you will be able to assign the remote access without complaint.

  • Proposed as answer by Speednet Thursday, February 5, 2009 7:04 AM

  Thursday, February 5, 2009 7:04 AM
• 

  

  0

  Sign in to vote

  Don't preach, nobody cares about your opinion.  Remote access is turned off for a user and password complexity is set to 'weak' and still it is requiring a complex password.  If you have an answer to provide then a sincere 'thanks' would be in order but don't preach about how concerned I should be about my data.

  clear?

  Sunday, May 9, 2010 6:42 PM