Invalid Characters for an NT Password
Windows allows the any of the UTF-16 character set in passwords.
From Technet regarding password complexity - see last bullet point.
Password must meet complexity requirements Description
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:
Not contain the user's entire Account Name or entire Full Name. The Account Name and Full Name are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the Account Name or Full Name are split and all sections are verified not to be included in the password. There is no check for any character or any three characters in succession.
-
Contain characters from three of the following five categories
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific.
Related videos on Youtube
JSchlather
Updated on September 17, 2022Comments
-
JSchlather almost 2 years
It seems most of the information regarding NT passwords on the internet is about how to crack them. There doesn't seem to be a list of characters that are specifically not-allowed like there is for usernames. As far as I can tell, there are no characters that are disallowed.
I am specifically looking at normal, printable ASCII characters though a dash of unicode would satisfy some curiosity as well.
-
Kyle Brandt almost 15 yearsI would bet it doesn't like NULL bytes ;-)
-
JS. almost 15 yearsIf the password is less than 14 chars then it will be padded to 14 with null bytes.
-
Kyle Brandt almost 15 yearsWhat happens if you put a some like mypas\0sword, will the password just be mypas ?
-
JS. almost 15 yearsIt would accept \0 as 2 characters not a null byte. I guess you would have to inject it somehow to mess up the password.
-
raja almost 15 yearsOn a side note programatically you can set passwords that are untypeable in the gui I believe (but can't find via google) that the limit is 255 chars but the gui only allows 127 to be entered.