7

Note: I've also posted a question for this issue on non-Windows systems.

In NIST SP 800-53 Rev. 3, IA-5 is the control addressing "Authenticator Management". The requirements in this control include such things as enforcement of password length, complexity, lifetime, history, and proper storage/transmission of passwords.

The first enhancement for this control, which is selected for all (Low/Moderate/High) systems includes this requirement:

The information system, for password-based authentication:

...

(b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created;

In Windows systems, I know how to enforce long and complex passwords which are changed regularly and do not exactly match a certain number of old passwords. But, how do you implement a policy that requires a certain amount of characters to be changed with every new password?

Community
  • 1
Iszi
  • 26,997
  • 18
  • 98
  • 163

2 Answers2

4

Believe the only way is to write your own custom password filter.

There are also plenty of third party products that will do this for you e.g.

Even Windows 2008 password complexity will only check:

  • Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
  • Passwords must be at least six characters in length.
  • Passwords must contain characters from three of the following four categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Base 10 digits (0 through 9).
    • Non-alphabetic characters (for example, !, $, #, %).

http://technet.microsoft.com/en-us/library/cc264456.aspx

This default complexity check with user education and providing a password manager is sufficient for most companies to mitigate the risk.

If you are really worried about someone setting ChelseaFC01, ChelseaFC02, ChelseaFC03 and this being guess through social engineering i.e. attacker finds out user likes Chelsea and cycles through this combination you could move away from just relying on password: e.g. implement two factor, adaptive authentication etc. You could also monitor for multiple password failures e.g. 8 attempts then a success via the Active Directory logs and investigate these.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Rakkhi
  • 5,783
  • 1
  • 23
  • 47
  • For the record, you can also have Windows enforce password history, i.e. that the new password does not match previous X passwords (as the OP mentioned). – AviD Apr 20 '11 at 15:44
1

I think this may have changed in Windows 2008 but in earlier versions of windows this kind of thing was done via custom password filters (passfilt.dll) and/or custom login agents.

frankodwyer
  • 1,907
  • 12
  • 13