Windows Password Message
Results 1 to 9 of 9

Thread: Windows Password Message

  1. #1
    Junior Member
    Join Date
    May 2005
    Posts
    6

    Windows Password Message

    I recieved an interesting request today, I am being asked to find out how to change the windows error message that appears when you try to change your password but it does not meet the domain/policy requirements.

    Reason is, we have abnormal password rules such as passwords need to be exactly 13 characters long, some of the rules are harder to remember and when users are trying to change their password we want the default message "your password must be at least 8 characters long... blah blah blah" to reflect our non standard rules.

    Does anyone know how we would go about changing the text on that box? Ive researched registries and the like with no luck. Any help is appreciated.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Have a look here:
    http://msdn.microsoft.com/msdnmag/is...ecurityBriefs/
    What you want to change is called GINA.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi mpower1

    Ask your bosses why the password is 13 characters, when modern rainbow tables handle 14?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Junior Member
    Join Date
    May 2005
    Posts
    6
    As with all decisions of this nature, it has more to do with what he read in some magazine than any thought.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hey mpower1

    I understand, please suggest 15 as a minimum, I would actually like 25, but they will write them down?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Originally posted here by nihil
    ... I would actually like 25, but they will write them down?
    And, put them in their wallets?

    Why exactly 13? Some kinda drug code? Trying to make life miserable for employees? Just being a jerk?

    No offense meant, but that seems like a bit of over-zealous cantankerousness. And what magazine article?

    Oh well, pointy haird ones always rule.

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I dont think you want a msgina.dll replacement. GINA is the process called by winlogon which performs the authentication and returns success or failure to winlogon. Replacing GINA is useful if you dont want to use AD/Windows authentication and want to auth on something else (RADIUS,OpenLDAP,Biometric scanner,etc). Since you still want to use your domain but just want to change the rules and message you want a custom passfilt.dll. Whenever a call to change a password is made, it gets passed through the passfilt.dll, Windows 2000/2003 ships with a default passfilt.dll, and thats the one you see when configuring password policies on the domain, but there is plenty of documentation on writing your own passfilt.dll on MSDN . If your company does not have someone familiar with W32 coding, there are companies that sell passfilt replacements like ANIXIS.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    mpower1

    I don't know how "reasonable" your boss is, but I would suggest that you both sit down and review your security policies. This is something we all should do periodically, as threats change with time.

    You need to consider what you are protecting, and against what? For example, is the potential danger internal or external?

    Password crackers work in two ways; dictionary and brute force. A lot of the simple (free) ones will only accept 8 characters, so anything longer than that should be "safe". However, you can buy rainbow tables (precomputed brute force) up to 14 characters and I have even heard of 24

    The 14 character ones that I have looked at took up 60Gb of HDD space, and the size grows exponentially with the number of characters.

    Other things to look at are restricting users to particular machines or departments (workgroups), frequency of password changes etc. And be sure that people are only empowered to do what they NEED to do.

    Once you have determined your policy, you should document it and present it to your users..........."We are IT we care about you, your data and your security"............the usual PR bullcrap

    In security, you do need to get your users onboard, if they just see it as mindless petty restrictions, you have lost

    Incidentally, the symbol is a good one. Most of the crackers I have played with don't have it, so they fail. A hot key sequence to the Japanese yen symbol is also quite effective.

    Just a few thoughts................
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    If you use only NTLMv2 and dont store LM hashes in the database, the only way precomputed hashes (Rainbow tables) would help would be if an attacker already has admin on an AD server and can dump the NT hashes. Also, the NT hashes unlike LM hashes do not break into two seperate 7 char hashes, so the space requirements for NT hashes(MD4) is going to be a good chunk for 14 characters. I would say strong password policy is a much better investment than worrying about cracking. The strength of the hash is irrelevant when it comes to guessing a weak password.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides