mailing list archives
Windows 2000 password policy bypass possibility
From: Leonid Mamtchenkov <leonid () francoudi com>
Date: Thu, 7 Mar 2002 09:40:51 +0200
I have noticed the following behavior with Windows 2000 and I am not
yet sure whether that is a bug or a feature.
It is possible to create a security policy regarding passwords for
Windows 2000, that will require users to use secure passwords, which
should be periodically changed. It is also possible to make Windows
remember several previous passwords (18 in our case).
Now, when time comes for user to change the password, system checks
whether or not new password is among those 18 old ones. If it is not,
and password satisfies other conditions, then password changes.
It is possible for user though to change the password without waiting
for it to expire. When changing this password, password history check
is not done, but check for all other conditions is performed.
Is this issue serious enough to be forwarded to Microsoft, or is it
supposed to work this way?
Leonid Mamtchenkov, RHCE
Francoudi & Stephanou Ltd.
- Windows 2000 password policy bypass possibility Leonid Mamtchenkov (Mar 09)