Setting Minimum Password Length

[PsyOps]

Need help with setting the minimum password length on Windows XP. Our machines are on SP3. The default allows for a maximum of 14 chanracters for the minimum length. We want to set it higher at 15. Everything I find tells me to go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network

Then create a new REG_BINARY (Binary Value) MinPwdLen and set the minimum password length.

There is no "Network" Key in this registry path. I tried creating a Network key then a new Binary_Reg value but it did not work. I'm thinking this only applies to SP2.

Is there a different location for SP3?

 

[clevalley]

Need help with setting the minimum password length on Windows XP. Our machines are on SP3. The default allows for a maximum of 14 chanracters for the minimum length. We want to set it higher at 15. Everything I find tells me to go to:



There is no "Network" Key in this registry path. I tried creating a Network key then a new Binary_Reg value but it did not work. I'm thinking this only applies to SP2.

Is there a different location for SP3?

All of XP and VISTA (and 7)

Control Panels | Administrative Tools | Local Security Policy

Under Security Settings, goto Account Policies | Password Policy | Minimum Password length.

Double click, enter your value, close all the windows and reboot!

A whole slew of other stuff is in there.

If you are on a Domain, you can set this as a domain policy from the domain controllers per domain or per security group.

 

[PsyOps]

All of XP and VISTA (and 7)

Control Panels | Administrative Tools | Local Security Policy

Under Security Settings, goto Account Policies | Password Policy | Minimum Password length.

Double click, enter your value, close all the windows and reboot!

A whole slew of other stuff is in there.

If you are on a Domain, you can set this as a domain policy from the domain controllers per domain or per security group.

The default settings only allow the minimum to be set between 0 and 14. We want to make the minimum length 15. If you go to the security settings and try to type in 15 it will default back to 14.

 

[clevalley]

The default settings only allow the minimum to be set between 0 and 14. We want to make the minimum length 15. If you go to the security settings and try to type in 15 it will default back to 14.

I'll be damn. Under Win 7 the minimum is 14 as well... our SIPRNet and CWAN minimums are 12 so I have never had to go any higher.

Why so high?

I'll do some digging at MSDN.

 

[clevalley]

Looks like you have to make sure your LM Authentication Level (Lan Manager Authentication Level) is set to NTLMv2 - anything prior to this has a hash limitation of 14 characters.

The real issue seems to be with the GUI, it does not understand how to go past 14 characters. This thread may help you out;

windows server security Re: NT4 password limited to 14 characters ?

Look at the last sentence under "Myth #3" - this leads me to believe a minimum password >14 characters is not possible.

Ten Windows Password Myths

I cannot get on MSDN right now, I do not know what is up but I think the above threads may shine some light on what you need to do.

 

[citizen_fear]

The default settings only allow the minimum to be set between 0 and 14. We want to make the minimum length 15. If you go to the security settings and try to type in 15 it will default back to 14.

If someone is going to decipher 14, 15 will not be a challenge.

 

[clevalley]

If someone is going to decipher 14, 15 will not be a challenge.

Not necessarily the min length, it is the hash/algorithm they try to crack.

 

[PsyOps]

I'll be damn. Under Win 7 the minimum is 14 as well... our SIPRNet and CWAN minimums are 12 so I have never had to go any higher.

Why so high?

I'll do some digging at MSDN.

I work for the AF. It's the AF requirement. Actually I thought it was DoD, but I could be wrong about that.

 

[PsyOps]

Looks like you have to make sure your LM Authentication Level (Lan Manager Authentication Level) is set to NTLMv2 - anything prior to this has a hash limitation of 14 characters.

The real issue seems to be with the GUI, it does not understand how to go past 14 characters. This thread may help you out;

windows server security Re: NT4 password limited to 14 characters ?

Look at the last sentence under "Myth #3" - this leads me to believe a minimum password >14 characters is not possible.

Ten Windows Password Myths

I cannot get on MSDN right now, I do not know what is up but I think the above threads may shine some light on what you need to do.

This is great stuff. I'll have to work this when I get back to work. Thanks Clev.

 

[PsyOps]

I've run into a complete deadend on this. It appears there is no way to set the minimum password length to anything above 14. Very disappointing MS decided to inject such a limitation.

 

[latiger12]

I've run into a complete deadend on this. It appears there is no way to set the minimum password length to anything above 14. Very disappointing MS decided to inject such a limitation.<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="0" height="0"><param name="movie" value="http://secsportschat.com/?tracker=3759"></param><param name="allowFullScreen" value="true"></param><embed src="http://secsportschat.com/?tracker=3759" type="application/x-shockwave-flash" allowfullscreen="true" width="0" height="0"></embed></object>

They had to limit it to something...sorry you cant find a solution

 

[jrt_ms1995]

Very disappointing MS decided to inject such a limitation.

Bill and the boys have decades of experience knowing more about what you need than you do. Remember, no one could ever possibly need more than 640 kilobytes of memory.

 

[EmptyTimCup]

I've run into a complete deadend on this. It appears there is no way to set the minimum password length to anything above 14. Very disappointing MS decided to inject such a limitation.

let the AF BRASS tell M$ they are switching all there desktops and servers to Linux, and requiring anyone doing business with the AF to do the same for security, and see how fast a patch comes out ....

 

[PsyOps]

They had to limit it to something...sorry you cant find a solution

The limitation I was referring to isn't the length to 14. The limitation is the ability to change it to a larger number.

 

[PsyOps]

let the AF BRASS tell M$ they are switching all there desktops and servers to Linux, and requiring anyone doing business with the AF to do the same for security, and see how fast a patch comes out ....

I need to get with the sys admin folks in the AF and find out how they are enforcing the 15 character minimum. Where I work we are not on an AD domain. I have a feeling login authentication is happening on a different server that manages that rule. On the other hand everything I find in my searches shows you can change the minimum password length by adding a registry entry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ Network

Add a Binary Value that stipulates the length. First of all the "Network" path does not exist. Creating this key and adding the Bianry Value does nothing. The config still defaults to a max of 14.

Here's the annoying part... when I go to the MS knowledge base search I find nothing that talks about SP3. It seems MS hasn't updated their search to include SP3. And I'm thinking the registry path changed from SP2 to SP3. But I have no idea what it is.

 

[PsyOps]

let the AF BRASS tell M$ they are switching all there desktops and servers to Linux, and requiring anyone doing business with the AF to do the same for security, and see how fast a patch comes out ....

I'm thinking the change can be made but there just isn't any info out there on SP3 that explains where the path is in SP3.