A: That's right, it could. All I can do is promise that I haven't included any code like that. Also, a good idea for your part would be to download it and then look through the import table to see if there are any suspicious imports.Q: Ok, but how do I install the DLL then?
A: Copy it into %SystemRoot%\system32 (often c:\winnt\system32). Then go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and add "strongpass" (without the quotes) to the value Notification Packages. Make sure that "passfilt" is also in place there, because strongpass.dll only complements it.Q: What extra password policies does strongpass enforce?
A: The passwords must be at least 7 characters long, and if they are exactly 7 characters these must be picked from the three groups a-z/A-Z, 0-9, and special characters (other than the alphanumeric). If the password is longer than 7 characters but shorter than 14, the same rule applies to the first 7 characters. If the password is exactly 14 characters, the rule applies to either the first 7 or the last 7 characters (any group matching the rule will do). This policy will make it harder for a cracking program like L0phtcrack to crack the LANMAN hashes generated from the passwords.Q: That's all fine, but I have a whole domain with NT systems. Do I have to put strongpass in every one of them?
A: No, strongpass (and passfilt) should be in those systems which have the accounts in their SAM databases. If you only want the policy to be enforced on domain accounts, you should add the DLL's to the PDC and BDCs.Q: We're dealing with plaintext passwords here, have you been careful enough when writing this thing?
A: I sure hope so. I've taken all precautions I know of, but I'm not at all perfect. If you find a bug or anything suspicious, please send me a mail to winnt@bahnhof.se and tell me about it.Q: Can strongpass lock me out of my system?
A: Logically it shouldn't be able to, because it is only invoked when you change passwords. However, it resides inside the LSA process and if it starts overwriting stuff there, you could have a problem. The DLL won't be invoked before you try to change a password for the first time since the system has booted. Say that something goes wrong then, and the LSA process is damaged in some way. That process will remain in memory when you log out of the system and back in again - so, you may be locked out temporarily. But when rebooting the system the LSA process will be created from scratch in memory and you will be able to log on again.Q: I can't delete the strongpass.dll, why is that?
A: That is because strongpass.dll (and also passfilt.dll) is constantly loaded by the LSA process. You can't delete a file that is in use, so just remove strongpass from the registry, reboot your system to release the file and you will be able to delete it.Q: I have a question that is not covered by this FAQ. Where can I get help?
A: Send a mail to winnt@bahnhof.se with your question. I can't promise that I will have time to answer, but I'll do my best.
© 1999, Arne Vidström