Password Notification Packages


Windows NT lets one install and register a custom built password filter DLL.
Microsoft provides PASSFILT.DLL which is a password filter which enforces the
following policies:


  • Passwords may not contain your user name or any part of your full name
  • Passwords must be at least six characters long
  • Passwords must contain elements from three of the four following types of
    characters:
    Character types

    1. English upper case letters A, B, C, … Z
    2. English lower case letters a, b, c, … z
    3. Westernized arabic numerals 0, 1, 2, … 9
    4. Non-alphanumeric characters (special characters $,!,%,^)
This PASSFILT functionality is built into Windows 2000
without having to add DLLs. Strong password enforcement can be enabled on
Windows 2000 using the system administration tools.

  • In administration console locate Local Security
    Policy

  • Select Account Policy | Password Policy
  • Enable the Passwords must meet complexity
    requirements
    setting
This is managed via password filter DLLs
and the following registry key which NT activates each time a password is
changed, conveying the new password to the DLLs (or in PASSFILT’s case, setting
policy).

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name:
Notification Packages
Type: REG_MULTI_SZ
Value: list of DLL names without .DLL suffix that reside in the System32
directory that need to be enabled

It is essential that this registry entry only name trusted DLLs in the
SYSTEM32 folder and that are read-only to other than admins. Arne Vidstrom has
released an enhanced strong password filter dll. Strongpass works like the standard
passfilt.dll, but enforces some extra password policies. The passwords must be
at least 7 characters long, and if they are exactly 7 characters these must be
picked from the three groups a-z/A-Z, 0-9, and special characters (other than
the alphanumeric). If the password is longer than 7 characters but shorter than
14, the same rule applies to the first 7 characters. If the password is exactly
14 characters, the rule applies to either the first 7 or the last 7 characters
(any group matching the rule will do). This policy will make it harder for a
cracking program like L0phtcrack to crack the LANMAN hashes generated from the
passwords.

Related:

Q151082 : HOWTO: Password Change Filtering & Notification in
Windows NT

Q161990 : How to Enable Strong Password Functionality in Windows
NT

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top