Sunday, January 19, 2014

Windows password fail: sUpercalifragilisticeXpialidocious23ballmer is not complex enough

Like most modern system that require authentication, Microsoft Windows has a password complexity setting that prevents users picking ludicrously weak passwords like "12345" or their own name. Typically an administrator can create a policy to dictate the strength of password required depending on the sensitivity of the environment and the nature of the data that the device contains. This can normally be summed up in a few brief rules - for example, must be minimum 8 characters, must contain both alphabetic and numeric characters. Sometimes they may require upper and lower case characters or even "special characters".

Earlier today I was changing a few password that had expired and thoughtlessly entered a new password of mrports727somethingelse (not the real password!). Most systems accepted this including Windows 7 however, one of my other systems rejected it because it contained my username 'mrports'. "Fair enough", I thought. Schoolboy error.

So I went back to all the other accounts and changed them to something more secure - but when it came to Windows it refused to change my password stating that it was not complex enough. Strange. I have been using Windows for over 20 years so have a pretty good idea what is required for passwords so tried a few variations. Still no good. I speculated that perhaps my employer may have changed the complexity requirements recently which was causing the problem? But even when I tried ludicrously complex passwords it would not accept them. To check that it was not a policy I created another account on my machine and changed it's password to one of the ones I was trying and it accepted it straight away. My final attempt at a password was "sUpercalifragilisticeXpialidocious23ballmer". Windows also deemed this password too weak.

 I can only conclude (and this is pure speculation) that Windows was not objecting to my new password, but was in fact objecting to my previous password because it contained my username - even though it had accepted it. I attempted to change my password from another Admin account but it would not allow this either, again stating the password was not complex enough.

 If you find yourself in this situation then there is a way round it. Go into Manage your computers (Start Menu, right click on Computer and Manage), select Users and Group. Right click on the appropriate user and select "Set Password". This will allow you to reset that password and everything returns to normal.













If anyone has a better explanation of that was happening I would be interested to hear it, but for now I will put this down to an interesting Windows quirk.