none
Define: Complexity Requirements "full name that exceed two consecutive characters" RRS feed

  • Question

  • Hi,

    I just want some clearance on the "Password must meet complexity requirements" password policy.

    Part of the Explain field gives the following description: "Not contain the user's account name or parts of the user's full name that exceed two consecutive characters"
    For example when I set the password for user with the Full Name/Display Name: "Joey Williams" I get the following:

    When I use the FirstName, Surname(parts of Full Name) as part of password it gives me the following: (Example: Joey19-2 ; Williams19-2)
    "...The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."
    (WHICH is correct)

    BUT
    When I use the following password (Example: William19-2 ) =>(Without the s)
    It accepts it: "The password for Joey Williams has been changed."

    The way I interpret the Explain text it SHOULD NOT, because it Contains "two consecutive characters" of the users full name (In this case 7 characters)

    Why is this, and is it correct, since many others also interpret it the same way?
    Or is this something I should just accept and forget...

    Thank you,


    Wielligh
    Friday, December 19, 2008 10:02 AM

Answers

  • Hi,

     

    I would like to explain how "Not contain the user's account name or parts of the user's full name that exceed two consecutive characters" works.

     

    If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high.

     

    When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present the password change is rejected.

     

    For example, the name "Joey M. Williams" would be split into three tokens: "Joey," "M," and " Williams". Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "Joey " or "Williams" as a substring anywhere in the password. All of these checks are case insensitive.

     

    These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting.

     

    Thanks.

    Monday, December 22, 2008 11:55 AM
    Moderator

All replies

  • Hi,

     

    I would like to explain how "Not contain the user's account name or parts of the user's full name that exceed two consecutive characters" works.

     

    If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high.

     

    When checking against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password; if it is present the password change is rejected.

     

    For example, the name "Joey M. Williams" would be split into three tokens: "Joey," "M," and " Williams". Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "Joey " or "Williams" as a substring anywhere in the password. All of these checks are case insensitive.

     

    These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting.

     

    Thanks.

    Monday, December 22, 2008 11:55 AM
    Moderator
  • Hi Mervyn Zhang,
    I read your answer which made me have good understanding of password complexity. But I'm still puzzled with following one item:
    I can successfully create (account/pwssword)GFVT_0223125638_User/GFVT0223125638User using MSAD. According to your explaination, "GFVT","0223125638" and "User" are all substring in this password, why this user can be created successfully? Any reply is very appreciated!
    (wensanshui@msn.com)

    your answer link:
     One question about password complexity
    Tuesday, February 24, 2009 7:52 AM
  • Hi,

    I cannot create a user (account/pwssword)GFVT_0223125638_User/GFVT0223125638User if "Password must meet complexity requirements" is enabled.

    Please make sure the GPO you have linked to DC and it has take effect. Run "gpupdate /force" to make sure it’s working.

    If the issue persists, please run "gpresult /z >>c:\gp.txt" on DC and send to tfwst@microsoft.com.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 25, 2009 10:03 AM
    Moderator