My company has asked me to recommend an appropriate password length for user accounts. Our current password-length minimum is four characters, with a maximum length of eight characters. We're considering changing the minimum length to six or eight characters. Until now, the company has maintained that four characters are sufficient, given that our systems implement a lockout feature after three incorrect passwords. Does the lockout feature hinder a password cracker's use of word lists, brute force, or sniffers to access system passwords?
Account lockout policy doesn't affect password crackers because they work offline on password hashes of a stolen SAM file or on challenge/response packets they sniff from the network. Studies show six characters to be the minimum length for an effective password. (To read one such study, go to http://www.smat.us/sanity/pwdilemma.html.) A strict lockout policy can be a compensating control when users' passwords are weak, but lockout policies will only hinder, not prevent, aggressive attacks. And all three lockout policy settings—Account Lockout Duration, Account Lockout Threshold, and Reset Account Lockout Counter—are more important in combination than Account Lockout Threshold (i.e., the number of failed passwords allowed) by itself. I recommend setting your lockout policy to three invalid logon attempts within 1440 minutes (24 hours) and no automatic unlock.
In addition to setting a strict lockout policy, you need to follow up with diligent monitoring. When a user requests to have his or her account unlocked, the support person needs to verify the user's identity and confirm that the user remembers having entered an incorrect password three times during the past 24 hours. If the user doesn't remember three incorrect password attempts, someone might be attacking the account. You can follow up by investigating the domain controllers' (DCs') security logs. Look for event ID 675 (pre-authentication failed) with failure code 24 and event ID 681 (logon failed) with error code 3221225578. Both events specify the IP address or the workstation name that generated the failed logon. These events specify when the logon attempts occurred and can help you track down the culprit or at least confirm that the invalid logon attempts came from the legitimate user's workstation.
Password policies such as minimum password length and password complexity have only a minor effect on password crackers. By requiring longer passwords or increasing the range of characters that users can use for passwords, you can make cracking take longer—but in the end, the cracker will succeed. Although some people claim that using extended ASCII characters such as a smiley face (J) lets you create passwords that password-cracking tools such as @stake's LC4 can't crack, this isn't true. These characters simply make password cracking more difficult. LC4 has several predefined character sets that you can use for password cracking, such as A—Z; A—Z and 0—9; and A—Z and 0—9 with common symbols. The larger the character set, the more time it takes to crack the password. LC4 also lets you create character sets that include extended characters.
