Password issues

rplantz

Member
Member
Messages
14
Windows 8 installed very nicely for me (triple boot: Windows 7; Ubuntu 11.10; Windows 8). Since this is a home computer, I used a simple six-character password. Things seemed to be going well. I installed Office, got mail working, etc.

Then I left the machine unattended for a couple of hours. It apparently went into a sleep mode. My password stopped working. I rebooted with no luck. Finally, I changed the password, but the system would not allow me to use a simple password. After several trials, I found one that works.

What are the restrictions on passwords? (These should be prominently stated somewhere.)

Why did the installer accept a simple one, but the installed system will not? Why did the system "kill" my password?
 

My Computer

System One

  • OS
    Windows 8
Are you networked with the other computers in your home by Domain? There are group policy settings that affect this.

Anyhow, simple six figure character no matter where you are is not good. You're talking seconds, if that, to hack that password and gain root access to first your pc, and then all the others on your network. (You're much better off actually blanking the password out and not using it, if you're not sharing on your network.)

Then if you're lucky, the hackers just wanted your bandwidth for ftp/xdcc warez serving galore lol. And the event logs will be clean.
 

My Computer

System One

  • OS
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86
    CPU
    P4 3.4 GHz HT
    Motherboard
    MSI-7211
    Memory
    OCZ 2 GB DDR @ 400 MHz
    Graphics Card(s)
    HIS AGP HD 3850 Turbo Ice-Q
    Sound Card
    MOTU Traveler firewire interface
    Monitor(s) Displays
    Acer x223w
    Screen Resolution
    1680x1050
    Hard Drives
    WD Caviar Black 1 TB Sata II, WD 400 GB Sata I, WD 120 GB Sata I
    PSU
    300W generic
    Case
    Cybertron
    Keyboard
    Logitech Classic Keyboard 200, Dell RT7D20
    Mouse
    Logitech M510
    Internet Speed
    2 MByte/sec Down, 250 KByte/sec Up
Are you networked with the other computers in your home by Domain? There are group policy settings that affect this.
But it's strange that the simple password worked until my Windows 8 (apparently) went into sleep mode.

Anyhow, simple six figure character no matter where you are is not good. You're talking seconds, if that, to hack that password and gain root access to first your pc, and then all the others on your network. (You're much better off actually blanking the password out and not using it, if you're not sharing on your network.)

My router's firewall rules block access from outside. I just tried ShieldsUP! (don't know how good this is) and they reported that my computer is unknown to the outside world. So I don't understand why a simple password on my local machines would be a problem, since people cannot get through my router.

BTW, I'm not trying to argue here. If I'm missing something, I would very much like to learn about it.
 

My Computer

System One

  • OS
    Windows 8
Are you networked with the other computers in your home by Domain? There are group policy settings that affect this.
But it's strange that the simple password worked until my Windows 8 (apparently) went into sleep mode.

Not sure why you didn't answer heh heh, but if there's a domain, it could have changed settings.

Anyhow, simple six figure character no matter where you are is not good. You're talking seconds, if that, to hack that password and gain root access to first your pc, and then all the others on your network. (You're much better off actually blanking the password out and not using it, if you're not sharing on your network.)

My router's firewall rules block access from outside. I just tried ShieldsUP! (don't know how good this is) and they reported that my computer is unknown to the outside world. So I don't understand why a simple password on my local machines would be a problem, since people cannot get through my router.


BTW, I'm not trying to argue here. If I'm missing something, I would very much like to learn about it.

In security with computers, there is a concept known as layering. No need to have a weak link in an otherwise strong chain. If someone is crafty enough, does enough research on your particular router, is skilled enough to do a man-in-the-middle (a.k.a. monkey-in-the-middle) attack on it and a list of things as long as my arm, cause a buffer overflow attack, or social engineer you, and that's not counting malware that could do all sorts of things like open ports - there exists possibility of success in gaining access.

Now I'm not trying to make you paranoid because the risk is low to be specifically targeted (but broad scanners do a hell of a job too, on the other hand), especially if you're just the average home user, but setting an excellent Windows password negates a large portion of any risk.

What seems to be your personal issue with doing so? If it's actually typing it: Instead, type netplwiz in the start menu then press enter. You can set it so you don't have to type the password when Windows boots to desktop. :)
 

My Computer

System One

  • OS
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86
    CPU
    P4 3.4 GHz HT
    Motherboard
    MSI-7211
    Memory
    OCZ 2 GB DDR @ 400 MHz
    Graphics Card(s)
    HIS AGP HD 3850 Turbo Ice-Q
    Sound Card
    MOTU Traveler firewire interface
    Monitor(s) Displays
    Acer x223w
    Screen Resolution
    1680x1050
    Hard Drives
    WD Caviar Black 1 TB Sata II, WD 400 GB Sata I, WD 120 GB Sata I
    PSU
    300W generic
    Case
    Cybertron
    Keyboard
    Logitech Classic Keyboard 200, Dell RT7D20
    Mouse
    Logitech M510
    Internet Speed
    2 MByte/sec Down, 250 KByte/sec Up
Now I'm not trying to make you paranoid because the risk is low to be specifically targeted (but broad scanners do a hell of a job too, on the other hand), especially if you're just the average home user, but setting an excellent Windows password negates a large portion of any risk.
I usually attend the CS Colloquia at the university where I used to teach. Many of the talks are on computer security. I have plenty of paranoia. After some of the talks I'm about ready to become a hermit. :)

What seems to be your personal issue with doing so? If it's actually typing it: Instead, type netplwiz in the start menu then press enter. You can set it so you don't have to type the password when Windows boots to desktop. :)
Thanks for telling me about netplwiz. I'm relatively new at Windows, so I don't know many of these things.

My personal issue is that I would like to know why Windows 8 made this change on me. My simple password has been working for years on Mac OSX, several distros of Linux, Vista, and Windows 7. It also worked on Windows 8, until I let the system go into (apparently) sleep mode one day. So I'm not complaining, just trying to learn about Windows 8.

I also think it would be better if Windows 8 would tell me the restrictions on passwords when it forces me to choose a new one, especially since it forced me to change in the first place. It's a little like a spouse/partner giving you the silent treatment but not telling you the reason. :)
 

My Computer

System One

  • OS
    Windows 8
Is there a domain controller on your network at all?
 

My Computer

System One

  • OS
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86
    CPU
    P4 3.4 GHz HT
    Motherboard
    MSI-7211
    Memory
    OCZ 2 GB DDR @ 400 MHz
    Graphics Card(s)
    HIS AGP HD 3850 Turbo Ice-Q
    Sound Card
    MOTU Traveler firewire interface
    Monitor(s) Displays
    Acer x223w
    Screen Resolution
    1680x1050
    Hard Drives
    WD Caviar Black 1 TB Sata II, WD 400 GB Sata I, WD 120 GB Sata I
    PSU
    300W generic
    Case
    Cybertron
    Keyboard
    Logitech Classic Keyboard 200, Dell RT7D20
    Mouse
    Logitech M510
    Internet Speed
    2 MByte/sec Down, 250 KByte/sec Up
Is there a domain controller on your network at all?

I'm not a networking expert, but I do not have a central server on my network. All my machines are connected through my router. My ISP gave me a fixed IP address, and my router uses NAT to provide local IP addresses to each of my computers. Several connections are wired. I have secured my wireless with WPA2 and a 16-charcter passphrase. Also, I'm about 100 yards from the nearest road, so it's not very likely that someone sitting in a car on my road would be able to connect to my wireless. I also shut everything down overnight and when I'm not at home.
 

My Computer

System One

  • OS
    Windows 8
I think it's highly unlikely Windows changed your password, unless it was forced by a malware agent or it was via some corruption when entering/leaving 'sleep'. It's also strange that you've had problems with setting passwords with minimal complexity. This latter you can check:

1. Open Control panel
2. Select Administrative Tools
3. Select Local Security Policy
4. In the left pane, under Security Settings, select Account Policies/Password Policy
5. In the right pane look at 'Password must meet complexity requirements' it should be disabled by default.

One question, when you created your account, did you use a local account or a Live ID?
 

My Computer

System One

  • OS
    Windows 7 x64 Ultimate/Windows 8.1/Linux
    CPU
    FX-8350
    Motherboard
    GA-990XA-UD3
    Memory
    16GB DDR3 Corsair Vengeance
    Graphics Card(s)
    HD7860
    Sound Card
    Xonar Essence STX
    Monitor(s) Displays
    Benq
    Screen Resolution
    1920x1080
    Hard Drives
    Various
    PSU
    Corsair HX 850W
    Case
    Corsair Obsidian
    Cooling
    Thermalright
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    50/50
    Browser
    firefox
I think it's highly unlikely Windows changed your password, unless it was forced by a malware agent or it was via some corruption when entering/leaving 'sleep'. It's also strange that you've had problems with setting passwords with minimal complexity. This latter you can check:

1. Open Control panel
2. Select Administrative Tools
3. Select Local Security Policy
4. In the left pane, under Security Settings, select Account Policies/Password Policy
5. In the right pane look at 'Password must meet complexity requirements' it should be disabled by default.

One question, when you created your account, did you use a local account or a Live ID?

Thank you. 'Password must....' was disabled.

As far as I know, I used a local account. Since this is the first time I've used the Windows 8 installer, I may have clicked on something that I should not have.

Control Panel -> User Accounts and Family Safety -> User Accounts reports:
[My Name]
Local Account
Administrator
Password protected

I clicked on "Make changes to my account in PC settings" which sent me to a Metro app. There I tried to change my password to a simpler on. The message was "Next time you sign in, use your new password." When I clicked on "Finish", there was an additional message, "The password you entered doesn't meet password policy requirements. Try one that's longer or more complex." And even though the "Next time...." message is still displayed, the new simple password was NOT accepted.

In my opinion, this is a bad design. (I worked some 40 years as a software engineer, and I've designed several user interfaces.) I would like to give some feedback regarding this to the designers (which should be the main point of this Consumer Preview release). Where do I go to do that? Or do you think they read these forums?
 

My Computer

System One

  • OS
    Windows 8
You probably already provided feedback. I think MS "listens" to this forum but that's only my gut feeling.

Anyhow, if you type secpol.msc in the start menu then press enter:

Local Policies | Security Options

Interactive login: Prompt User to change password before expiration 5 days

and

Account Policies | Password Policy

has these settings: Capture.JPG
 

My Computer

System One

  • OS
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86
    CPU
    P4 3.4 GHz HT
    Motherboard
    MSI-7211
    Memory
    OCZ 2 GB DDR @ 400 MHz
    Graphics Card(s)
    HIS AGP HD 3850 Turbo Ice-Q
    Sound Card
    MOTU Traveler firewire interface
    Monitor(s) Displays
    Acer x223w
    Screen Resolution
    1680x1050
    Hard Drives
    WD Caviar Black 1 TB Sata II, WD 400 GB Sata I, WD 120 GB Sata I
    PSU
    300W generic
    Case
    Cybertron
    Keyboard
    Logitech Classic Keyboard 200, Dell RT7D20
    Mouse
    Logitech M510
    Internet Speed
    2 MByte/sec Down, 250 KByte/sec Up
You probably already provided feedback. I think MS "listens" to this forum but that's only my gut feeling.

Anyhow, if you type secpol.msc in the start menu then press enter:

Local Policies | Security Options

Interactive login: Prompt User to change password before expiration 5 days

and

Account Policies | Password Policy

has these settings:View attachment 5537

Yep, I have the same thing.
 

My Computer

System One

  • OS
    Windows 8
Back
Top