Password Notification Packages

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT lets one install and register a custom built password filter DLL. Microsoft provides PASSFILT.DLL which is a password filter which enforces the following policies:
  • Passwords may not contain your user name or any part of your full name
  • Passwords must be at least six characters long
  • Passwords must contain elements from three of the four following types of characters:
    Character types
    1. English upper case letters A, B, C, ... Z
    2. English lower case letters a, b, c, ... z
    3. Westernized arabic numerals 0, 1, 2, ... 9
    4. Non-alphanumeric characters (special characters $,!,%,^)
This PASSFILT functionality is built into Windows 2000 without having to add DLLs. Strong password enforcement can be enabled on Windows 2000 using the system administration tools.
  • In administration console locate Local Security Policy
  • Select Account Policy | Password Policy
  • Enable the Passwords must meet complexity requirements setting
This is managed via password filter DLLs and the following registry key which NT activates each time a password is changed, conveying the new password to the DLLs (or in PASSFILT's case, setting policy).

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: Notification Packages
Type: REG_MULTI_SZ
Value: list of DLL names without .DLL suffix that reside in the System32 directory that need to be enabled

It is essential that this registry entry only name trusted DLLs in the SYSTEM32 folder and that are read-only to other than admins. Arne Vidstrom has released an enhanced strong password filter dll. Strongpass works like the standard passfilt.dll, but enforces some extra password policies. The passwords must be at least 7 characters long, and if they are exactly 7 characters these must be picked from the three groups a-z/A-Z, 0-9, and special characters (other than the alphanumeric). If the password is longer than 7 characters but shorter than 14, the same rule applies to the first 7 characters. If the password is exactly 14 characters, the rule applies to either the first 7 or the last 7 characters (any group matching the rule will do). This policy will make it harder for a cracking program like L0phtcrack to crack the LANMAN hashes generated from the passwords.

Related:

Q151082 : HOWTO: Password Change Filtering & Notification in Windows NT

Q161990 : How to Enable Strong Password Functionality in Windows NT

See Also

Featured Links