Help and Support
 

powered byLive Search

How to enable strong password functionality in Windows NT

View products that this article applies to.
Article ID:161990
Last Review:November 1, 2006
Revision:3.2
This article was previously published under Q161990
On This Page

SUMMARY

Microsoft Windows NT 4.0 Service Pack 2 introduces a new DLL file (Passfilt.dll) that lets you enforce stronger password requirements for users. Passfilt.dll provides enhanced security against "password guessing" or "dictionary attacks" by outside intruders.

NOTE: While Windows 95 does not support case-sensitivity in its passwords, the password change request is sent to the Primary Domain Controller (PDC)in such a way that it can enforce the password filtering rules. For example, if you change your domain password on a computer running Windows 95 to PassWord1, you can use password1, PASSWORD1, PassWord1, and so on to log on to the domain from a computer running Windows 95. However, you must use PassWord1 to log on to a computer running Windows NT.

NOTE: Passwords changed in Windows 3.x or Windows for Workgroups 3.x cannot be enforced in this password policy.

Back to the top

MORE INFORMATION

The Passfilt.dll file implements the following password policy:
1.Passwords must be at least six (6) characters long.
2.Passwords must contain characters from at least three (3) of the following four (4) classes:
      Description                     Examples
      -----------------------------------------------

      Upper case letters              A, B, C, ... Z
      Lower case letters              a, b, c, ... z
      Westernized Arabic numerals     0, 1, 2, ... 9
      Non-alphanumeric ("special 
        characters") such as 
        punctuation symbols
3.Passwords may not contain your user name or any part of your full name.
These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the user interface or registry. If you wish to raise or lower these requirements, you must write your own .dll and implement it in the same fashion as the Microsoft version that is available with Windows NT 4.0 Service Pack 2.

Back to the top

How to Install Strong Password Filtering

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

To ensure Strong Password functionality occurs throughout your domain structure, make the following changes on all primary domain controllers (or stand-alone servers, where needed).

Passfilt.dll is not necessary on backup domain controllers since the PDC is the only machine where changes to the domain accounts database are made. However, it should be installed on all BDCs because they can be promoted to PDC. If a BDC without Passfilt.dll is promoted to PDC, then strong password enforcement will be lost but there will be no other adverse effects.
1.Install the latest Windows NT 4.0 service pack.
2.Copy Passfilt.dll to the %SYSTEMROOT%\SYSTEM32 folder.
3.Start Registry Editor (Regedt32.exe).
4.Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
5.If there is not a value called Notification Packages, then on the Edit menu click Add Value, and then add the following Value:
Notification Packages
This value should be a data type of REG_MULTI_SZ.

NOTE: If the Notification Packages value already exists, proceed to the next step.
6.Double-lick the Notification Packages value.
7.In the Data section there should be a value of FPNWCLNT. Create a new line, and then type PASSFILT.
8.Quit Registry Editor.
9.Restart the computer.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
174075 (http://support.microsoft.com/kb/174075/) Strong passwords with Passfilt.dll are not enforced
174076 (http://support.microsoft.com/kb/174076/) Invalid password message when strong passwords are required

Back to the top

Microsoft Windows 2000

Strong Password Functionality Included with Microsoft Windows 2000

The functionality described above for the Passfilt.dll file for Windows NT 4.0 has been included in the operating system security components for Windows 2000. You can enable strong password enforcement in Windows 2000 by starting the Local Computer Policy snap-in and enabling the Passwords must meet complexity requirements setting in Computer Configuration\Windows Settings\Security Settings\AccountPolicies\Password Policy.

Back to the top

APPLIES TO
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows NT Workstation 4.0 Developer Edition

Back to the top

Keywords: 
kbenv kbhowto kbnetwork KB161990

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.