Recipe 11.7. Requiring Strong PasswordsProblemYou want to enforce the use of strong passwords for user accounts. SolutionUsing a graphical user interface
This setting does not have any effect on users' current password. Password complexity is required only after each users' current passwords. For more on how to force users to change their password, see Recipe 6.21 in Active Directory Cookbook (O'Reilly). DiscussionMost users, if given a choice, pick really simple, easy to remember passwords. No matter how tight the security is on your servers, if an attacker can crack a user's password, it is all for naught. To combat this, you can enable password complexity on the Default Domain GPO to require users to choose a password that meets the following criteria:
By enabling this, you can feel a little better that once a user changes his password, that it won't be something trivial (although passwords such as "Mypassword!" still pass the complexity test). See AlsoMS KB 225230 (Enabling Strong Password Functionality in Windows 2000) |