Passwords must not contain the user's entire samAccountName (Account Name)
value or entire displayName (Full Name) value. Both checks are not case
sensitive:
The samAccountName is checked in its entirety only to determine whether it
is part of the password. If the samAccountName is less than three characters
long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or
hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters
are found, the displayName is split and all parsed sections (tokens) are
confirmed not to be included in the password. Tokens that are less than three
characters in length are ignored, and substrings of the tokens are not checked.
For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M,"
and "Hagens." Because the second token is only one character long, it is
ignored. Therefore, this user could not have a password that included either
"erin" or "hagens" as a substring anywhere in the password.
( src )
There is a very easy method to detect such 'weak' passwords -- compute Levenshtein distance between password entered and account name, full name, other user's data (if known: D.O.B., address, maiden name, etc).
More about Levenshtein distance.
20251118 13:23:26 CET: Again, about Levenshtein distance.
Spelling alphabet (Alfa, Bravo, Charlie, Delta, etc) --- Levenshtein (edit) distance between words as long as possible.
These words are picked in such a way so that two words from any pair in this are hard to confuse with each other.
This is like the code used in pagers (in 1990s):
Transmission uses 32-bit blocks called codewords. Each codeword carries 21 bits of information (bits 31 through 11), 10 bits of error-correcting code (bits 10 through 1), and an even parity bit (bit 0). Bits 31 through 1 are a binary BCH code (31, 21). The error-correcting code has a 6-bit Hamming distance: each 31-bit codeword differs from every other codeword in at least 6 bits. Consequently, the code can detect and correct up to 2 errors in a codeword.( Radio-paging code No. 1 (POCSAG) )
Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.