locked
Complex password RRS feed

  • Question

  • I just have to ask is requiring a complex password of any benefit in a home setting.  By requiring users to use more complex passwords you require the user to remember a more complex password.  By doing this some users may write down this extended password therefore defeating the purpose of the policy.  By no means am I suggesting that the complexity requirements should be disabled by default that would be just reckless, but why can’t the user analyze the security needs of their network and then determine for them self’s what their needs are.  I agree that this doesn’t necessarily need to be part of the main setup stream but it shouldn’t be so obfuscated that it is impossible to change these settings by conventional means.  I just feel choked by the newer operating systems that Microsoft has produced in recent years ie. Xp, Vista, Server2003 ect.  I just feel that Microsoft is coddling the user rather than educating the costumer on the risks and benefits of many futures of the new generation of operating systems.  The biggest advance Microsoft can make is to consolidate all of these coddling features in to one control panel so they can be easily disabled by advanced users that can properly assess the threats that disabling certain features may present.

    Friday, February 29, 2008 11:38 AM

Answers

  • You only need strong passwords if you want that user to be allowed web access to the WHS.  Otherwise, you can set the system to allow weak (or no) passwords.
    And, keep in mind that a strong PW doesn't necessarily need to be a cryptic random string of characters.  Your username here is a good example of a strong PW that'll satisfy WHS.

     

    Also (assuming that each of your PCs at home are single-user (or single-account)) boxen, you can also always set the system to auto-logon to that account (start > run > control userpasswords2)

     

    Friday, February 29, 2008 3:26 PM
  • Interesting video, but only vaguely has anything to do with this topic, IMHO.
    The fact still remains, though:  if you want a given user to have web (read:  external, from-the-internet) access to the WHS and its shares, that user must have a strong password.  If, however, you only want that user to have local (read:  internal, on-your-LAN) access, you can change the default password requirement (default = medium, complexity not required) to 'weak', which will allow even a blank password.

    Again, IMHO, the strong PW requirement for remote access is a good thing - this is your data security that we're talking about here.  Do you really want your shares wide-open to any and all bits of nefariousness on the interwebs?  Smile

     

    Just my $0.02....

    Saturday, March 1, 2008 4:03 AM
  • Actually, I disagree that the software shouldn't be built for the average user. The average user will pretty much always opt for convenience over security unless security can be made truly transparent, and the average user is using whatever router their broadband provider sold them, not a Cisco. In order to protect the world from a small army of WHS-bots, and to protect users like that (who would use no passwords for remote access if it were possible) from having their identities stolen, Microsoft made the choice to require strong passwords for users who have remote access. You don't have to like that choice, of course (I'd prefer passphrases, which are much harder to crack than even a cryptographically strong password, for example); if you feel strongly about it you should post a suggestion on Connect.
    Saturday, March 1, 2008 2:08 PM
    Moderator

All replies

  • You only need strong passwords if you want that user to be allowed web access to the WHS.  Otherwise, you can set the system to allow weak (or no) passwords.
    And, keep in mind that a strong PW doesn't necessarily need to be a cryptic random string of characters.  Your username here is a good example of a strong PW that'll satisfy WHS.

     

    Also (assuming that each of your PCs at home are single-user (or single-account)) boxen, you can also always set the system to auto-logon to that account (start > run > control userpasswords2)

     

    Friday, February 29, 2008 3:26 PM
  • Regardless I should be able to set whatever password to whatever user account with whatever permissions want.  Please reference this video…

    http://www.youtube.com/watch?v=8QuptMSA1rs
    Friday, February 29, 2008 8:27 PM
  • Interesting video, but only vaguely has anything to do with this topic, IMHO.
    The fact still remains, though:  if you want a given user to have web (read:  external, from-the-internet) access to the WHS and its shares, that user must have a strong password.  If, however, you only want that user to have local (read:  internal, on-your-LAN) access, you can change the default password requirement (default = medium, complexity not required) to 'weak', which will allow even a blank password.

    Again, IMHO, the strong PW requirement for remote access is a good thing - this is your data security that we're talking about here.  Do you really want your shares wide-open to any and all bits of nefariousness on the interwebs?  Smile

     

    Just my $0.02....

    Saturday, March 1, 2008 4:03 AM
  • Having my shares wide open to the world is not a issue because the only way to gain that level of access to my network is through a VPN tunnel “gotta love Cisco”.  Yes I have a Cisco 2821 running my network.  So even if my shares have weak passwords this is of no major concern to me because it would take more than the average underachieving high school student to get in to my network.   In fact outside of the VPN tunnel the only machine you can communicate with other than the router or switch is my web server which is running BSD.  Sorry but I don’t trust Microsoft for this one.   And yes the video has everything to do with this topic, rather than letting me decide the necessary level of security for my network Microsoft has already made that determination therefore taking control away from me.  Please keep in mind I come from a strong UNIX and Linux background, this is a place where if you don’t like something you are free to change it.  I.e. NO CODDLING.   In 12 years of doing UNIX and Linux IT work I have had 8000 or so recorded attacks none of them successful.  I would have to say that that is a fairly good track record. 

     

    I understand that the average user is probably not as savvy as I am but this doesn’t mean that software should be built exclusively for the average “Jim Billy Bob Joe” user that can grasp the difference between a cat5 and a cat3 cable.  These being the type of people who think things like Bonsai Buddy and Whether Bug are good things.  Maybe if we could educate people on the subject then maybe most of this security wouldn’t be necessary on the user end.

    Saturday, March 1, 2008 7:38 AM
  • Actually, I disagree that the software shouldn't be built for the average user. The average user will pretty much always opt for convenience over security unless security can be made truly transparent, and the average user is using whatever router their broadband provider sold them, not a Cisco. In order to protect the world from a small army of WHS-bots, and to protect users like that (who would use no passwords for remote access if it were possible) from having their identities stolen, Microsoft made the choice to require strong passwords for users who have remote access. You don't have to like that choice, of course (I'd prefer passphrases, which are much harder to crack than even a cryptographically strong password, for example); if you feel strongly about it you should post a suggestion on Connect.
    Saturday, March 1, 2008 2:08 PM
    Moderator
  • You make a very valid point and I respect your opinion.  I don’t wish for software to be built one way or the other. I believe in the standard setup/configuration process should be built for the average user that is using the $50 Linksys wireless router with the security of a screen door on a bank vault, but the power user should be able to make changes to the security policy as they feel necessary.   I fell that the power users are being excluded from what may potentially a really nice product.  As far as my feelings go I still don’t feel that the cost for the server license warrants what the software has to offer.

    Sunday, March 2, 2008 6:46 AM